Scribd
Upload
1K views

Change Auditor Guide

Guide for Change AUditor

Uploaded by

Ali Touseef
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
1K views

Change Auditor Guide

Guide for Change AUditor

Uploaded by

Ali Touseef
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 68

Quest®Change Auditor 6.

9
Installation Guide
© 2017 Quest Software Inc.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a
software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the
applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written
permission of Quest Software Inc.
The information in this document is provided in connection with Quest Software products. No license, express or implied, by
estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest
Software products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE
AGREEMENT FOR THIS PRODUCT, QUEST SOFTWARE ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY
EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO
EVENT SHALL QUEST SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR
INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN
IF QUEST SOFTWARE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest Software makes no
representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the
right to make changes to specifications and product descriptions at any time without notice. Quest Software does not make any
commitment to update the information contained in this document.
If you have any questions regarding your potential use of this material, contact:
Quest Software Inc. 
Attn: LEGAL Dept.
4 Polaris Way
Aliso Viejo, CA 92656
Refer to our website (https://www.quest.com) for regional and international office information.
Patents
Quest Software is proud of our advanced technology. Patents and pending patents may apply to this product. For the most current
information about applicable patents for this product, please visit our website at https://www.quest.com/legal.
Trademarks
Quest, the Quest logo, and Join the Innovation are trademarks and registered trademarks of Quest Software Inc. For a complete
list of Quest marks, visit https://www.quest.com/legal/trademark-information.aspx. All other trademarks and registered trademarks
are property of their respective owners.

Legend

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.

IMPORTANT NOTE, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.

Change Auditor Installation Guide


Updated - November 2017
Software Version - 6.9

Contents

Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
System statistics and facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Network traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Interval settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
System overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Installation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Install Change Auditor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10


Installation workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Install the first coordinator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Required permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Install the client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Install multiple coordinators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Add Users to Change Auditor Security Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17


Introducing Change Auditor security groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Add accounts to security groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Add accounts to ChangeAuditor database role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Connecting to the Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20


Connect to the client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Open the web client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Access product information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Deploy Change Auditor Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22


Change Auditor agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Deploy agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Upgrade Change Auditor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25


Pre-upgrade considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Upgrade Change Auditor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Step 1: Upgrade all coordinators (and database schema) . . . . . . . . . . . . . . . . . . . . . . . 26
Step 2: Upgrade all clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Step 3: Upgrade the agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Post upgrade considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Installation Notes and Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29


Licensing Change Auditor products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Other installation notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Change Auditor for Windows File Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Change Auditor for Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Quest Change Auditor 6.9 Installation Guide


3
Contents
Change Auditor for Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Change Auditor for SharePoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Backup notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Agent behavior notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Client notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
ADAM (AD LDS) auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Change Auditor for SQL Server — SQL auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Multi-Forest Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Multi-forest deployment requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Installation example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Audit and protection configuration flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Event flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Reports and queries from the client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Workstation Agent Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47


Recommendations and deployment requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Manual workstation agent deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Agent Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Install an agent to audit ADAM (AD LDS) on workgroup servers . . . . . . . . . . . . . . . . . . 53


Agent installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Active Roles Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54


Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Deploying Change Auditor/Active Roles integration scripts . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Client components added to Change Auditor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Removing deployed Change Auditor/Active Roles integration scripts . . . . . . . . . . . . . . . . . . 58
Troubleshooting Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Quest GPOADmin Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60


Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
GPOADmin and Change Auditor integration process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Client components added to Change Auditor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Troubleshooting tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Windows Installer Command Line Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65


Agent options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Coordinator options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

About us . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
We are more than just a name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Our brand, our vision. Together. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Contacting Quest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Technical support resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Quest Change Auditor 6.9 Installation Guide


4
Contents
1
Installation Overview
Change Auditor provides auditing and security coverage for your enterprise network. You can audit the activities
taking place in your infrastructure and receive real-time alerts on vital changes and activities as they occur.
Instantly know who made changes including the IP address of the originating workstation, where and when it
occurred along with before and after values. Then automatically turn that information into intelligent, in-depth
forensics for auditors and management — and reduce the risks associated with day-to-day modifications.
• Audit critical changes across your enterprise including Active Directory, Azure Active Directory, Office 365
(Exchange Online, SharePoint Online, and OneDrive for Business), Windows File Servers, NetApp, EMC,
SQL Server, VMware vCenter, SharePoint, Microsoft Skype for Business and Fluid File Systems.
• Collect user login and log out activity for regulatory compliance and user activity tracking.
• Automate ongoing compliance with tracking and reporting for best practices and regulatory compliance
mandates for SOX, PCI-DSS, HIPAA, FISMA, GLBA, and more.
• Speed troubleshooting through real-time insight into changes with a comprehensive audit library including
built-in audit alerts, reports, and powerful searches.
• Proactively protect critical Active Directory objects, Exchange Mailboxes, and Windows files and folders
from harmful changes that could open security holes or cause resources to become unavailable.
• Separate product deployment and management for key environments including Active Directory,
Exchange, Windows File Servers, NetApp, EMC, SQL Server, Active Directory Query, SharePoint, Logon
Activity, and Skype for Business.
• Integrate with other products to track, audit, report, and alert on critical changes made using Quest
Authentication Services, Quest Defender, and Dell Fluid File System.
This guide contains the information required to install and configure Change Auditor and upgrade from a previous
release. It is intended for network administrators, consultants, analysts, and any other IT professionals installing
the product.
See the following information to get you started:
• Before you begin
• System requirements
• System statistics and facilities
• System overview
• Installation overview

Before you begin


If you do not already have Change Auditor, download it from https://support.quest.com/.
• Before you can download the product, you must register with Quest. If you are a registered Quest user, log
on using your email address and password.
• After you have registered or logged in, locate the product and version to download from the product list.

Quest Change Auditor 6.9 Installation Guide


5
Installation Overview
• On the download window, click the link and save the file to an appropriate directory (such as c:\temp).
NOTE: If you have purchased multiple Change Auditor products, download one instance of Change
Auditor only. The code is the same for all and the license keys determine what features are enabled
or disabled.

Before you install Change Auditor:


• Review the system requirements
• Review the complete installation process
• Review Installation Notes and Best Practices
• Read the Release Notes for updated information
• Ensure that you have the appropriate license files to enable Change Auditor auditing modules. A separate
license file is required to enable the functionality of each of the Change Auditor auditing modules:
▪ Quest Change Auditor for Active Directory
▪ Quest Change Auditor for Exchange
▪ Quest Change Auditor for Windows File Servers
▪ Quest Change Auditor for SQL Server
▪ Quest Change Auditor for Active Directory Queries
▪ Quest Change Auditor for Authentication Services
▪ Quest Change Auditor for Defender
▪ Quest Change Auditor for EMC
▪ Quest Change Auditor for NetApp
▪ Quest Change Auditor for Fluid File System
▪ Quest Change Auditor for SharePoint
▪ Quest Change Auditor for Logon Activity User (captures log on activity on monitored server agents)
▪ Quest Change Auditor for Logon Activity Workstation (captures log on activity on monitored
workstation agents)

▪ Quest Change Auditor for Skype for Business


NOTE: Change Auditor prompts you for a valid license during the coordinator installation. You cannot
proceed with an invalid or expired license. If you are upgrading Change Auditor, you do not need a
new license.

Quest Change Auditor 6.9 Installation Guide


6
Installation Overview
System requirements
Change Auditor includes the following components, all which have specific system requirements:
• Change Auditor coordinators
• Change Auditor client
• Change Auditor agents
• Change Auditor workstation agents
• Microsoft SQL Server database

• Change Auditor web client


NOTE: Each module also has specific auditing and system requirements.

See the Change Auditor Release Notes for details.

System statistics and facilities

Network traffic
• 1 to 3 KB of TCP traffic is generated per audit event sent from a Change Auditor agent to a Change Auditor
coordinator.
• 1 to 3 KB of TCP traffic is generated per record upon a successfully run search query.
• 1 KB of TCP traffic is generated every five minutes to update the Change Auditor agent statistics, which are
displayed on the Agent Statistics page.
NOTE: There are other network communications, primarily the agent downloading licensing, or configuration
data from the coordinator. This configuration can be large, depending on the auditing modules licensed and
how they are configured.

Interval settings
Table 1. Interval settings

Setting Description
Connection Interval Every five minutes a Change Auditor agent tries to establish a connection or
communication channel with a Change Auditor coordinator.
NOTE: Connection attempts can also be triggered when an agent loses its
connection to the coordinator, where the agent tries to re-establish a
connection.
Forwarding Interval Every five seconds an agent forwards all the audited events stored in the
local queue (agent’s database) to a Change Auditor coordinator. These
audited events have not been previously sent to the coordinator.
This interval is configurable using the Configuration Setup dialog.

Quest Change Auditor 6.9 Installation Guide


7
Installation Overview
Table 1. Interval settings

Setting Description
Polling Interval Every 900 seconds (15 minutes) the agent checks to determine if there have
been any modifications to the agent’s configuration.
This interval is configurable using the Configuration Setup dialog.
Retry Interval If the agent does not receive an immediate success acknowledgment from
the coordinator for the audited events it transmitted, the agent resends all
unacknowledged events after five minutes (300 seconds) from the previous
attempt.
This interval is configurable using the Configuration Setup dialog.

To display the Configuration Setup page


1 Select View| Administration to open the Administration Tasks tab.
2 Select Configuration | Agent from the navigation pane.
3 On the Agent Configuration page click Configurations to display the Configuration Setup dialog, open the
System Settings tab to view and modify the Forwarding Interval, Polling Interval or Retry Interval
settings.

System overview
Change Auditor agents are deployed to all servers (domain controllers and member servers) tracking configuration
changes in real time. When a change is made on a server running a Change Auditor agent, the change
information (audit event) is captured by the agent, batched and forwarded to a Change Auditor coordinator, which
then inserts the event details into the Change Auditor database.
NOTE: If the Change Auditor for Logon Activity Workstations auditing module is licensed, you must deploy
agents to the workstations that you want to monitor.

For each change detected, an audit event entry is created in the Change Auditor database with the following
information:
• Type of configuration change event
• Time and date of the configuration change event
• Identity of the machine the change was made on
• Identity of the managed object the change pertains to
• Old and new value of the change (if applicable)
• IP address of the workstation and client where the change originated
The coordinator fulfills client and agent requests and generates alerts. Multiple coordinators can be installed in a
single forest and an agent can be connected to multiple coordinators simultaneously. All connected coordinators
can participate in receiving events from the agent, allowing a high volume of events to be distributed for
processing.
NOTE: Server agents submit events to all available coordinators to load balance automatically. However,
workstation agents randomly connect to a single coordinator. This design enables ‘scaling out’ options for
large workstation agent deployments within a single site.

The Change Auditor client provides immediate access to key configuration change information. From the client
you can:
• Install, upgrade, or uninstall agents
• Define search criteria to return specific events and view the search results
• Enable and disable alerts and view the events that triggered these alerts

Quest Change Auditor 6.9 Installation Guide


8
Installation Overview
• Enable and schedule email reporting for individual search queries
• View agent and coordinator statistics
• Define custom Active Directory and ADAM (AD LDS) objects and attributes to audit
• Define the VMware hosts to audit
• Define the SharePoint farm and paths to audit
• Define file system auditing for Windows File Servers and EMC and NetApp devices
• Define the Fluid File System clusters to audit
• Specify the SQL Server instances to audit
• Specify the Exchange mailboxes to audit
• Specify the Office 365 Exchange Online organizations and SharePoint Online and OneDrive for Business
sites to audit
• Specify the containers to exclude from Active Directory query auditing
• Configure object protection for Active Directory, Exchange, File Systems, and Group Policies
• Define and assign agent configurations
• Configure SMTP for alerting and reporting
• Create and schedule purge jobs for maintaining the database
• Define who is authorized to use the Change Auditor client (Windows and web) features

Installation overview
Before installing Change Auditor, choose the SQL database to use. If you want to install the Change Auditor
database to a SQL instance other than the default instance of the selected SQL Server, create the instance before
running the installer.
Using the Change Auditor product DVD or running the autorun.exe file opens the Quest Change Auditor autorun,
allowing you to install the different Change Auditor components, access the product documentation, and install
other related Quest products and knowledge packs.
During the coordinator installation, you have the option of adding the current user to the Change Auditor
Administrators security group. If you select not to do this during the coordinator installation process, you need to
add your user account (and any other appropriate user accounts) to one of the Change Auditor security groups.
Quest also recommends that you add the Change Auditor Administrators and Change Auditor Operators groups to
the appropriate SQL database role. See Add Users to Change Auditor Security Groups for more information
regarding these security groups.
Open the client to deploy agents to the required servers. Also, if you have the Change Auditor for Logon Activity
Workstation auditing module licensed, deploy agents to the domain workstations you want to monitor. See Deploy
Change Auditor Agents for more details.
IMPORTANT: You must be a member of the Change Auditor Administrators group and have local
permissions to deploy agents.

You can optionally install the Change Auditor web client to access (search and report on) the data collected by
Change Auditor, create custom search queries, and perform administration tasks to manage Change Auditor. See
the Change Auditor Web Client User Guide for information about installing and running the web-based client.

Quest Change Auditor 6.9 Installation Guide


9
Installation Overview
2
Install Change Auditor
• Installation workflow
• Install the first coordinator
• Install the client
• Install multiple coordinators

Installation workflow
Quest recommends installing the Change Auditor components in the following order:
• Database (SQL Server) — Make sure the SQL server that you are going to use is available and the
installation account has SQL Server role as dbcreator. To host the Change Auditor database on a SQL
instance other than the default instance of the selected SQL Server, create the instance before running the
installer.
NOTE: The database name must not include embedded spaces, special characters, or
supplementary characters. For more details, see Microsoft’s database identifier documentation.

• Coordinator — When prompted, specify the SQL server to use and the installation account. The Change
Auditor database is created remotely on this server during the installation.
NOTE: During the coordinator installation, you are have the option of adding the current user to the
Change Auditor Administrators security group. If you did not add the current user during the
installation process or want to add extra user accounts to the Change Auditor security groups, add
them before running the client. We also recommend that you then add these security groups to the
appropriate SQL database role (that is, Change Auditor Administrators — <InstallationName> group
to the Change Auditor_Administrators role and ChangeAuditor Operators — <InstallationName>
group to the ChangeAuditor_Operators role). See Add Users to Change Auditor Security Groups.

• Client — After you have confirmed that the coordinator is functioning correctly, install the Change Auditor
client.
TIP: Quest recommends that you install the first Change Auditor coordinator and client, but do not
deploy agents until after you have installed required coordinators. When deploying agents, you can
select which installation to use for each of the agents.

• Agents — Open the client to deploy agents to your domain controllers and member servers. Also, if you
have Change Auditor for Logon Activity Workstation licensed, deploy agents to the domain to monitor for
logon activity.
• Web client — Optionally, install the web client on the IIS web server.
This topic provides instructions for installing Change Auditor coordinators and the Change Auditor client. See
Deploy Change Auditor Agents for instructions on deploying agents. See the Change Auditor Web Client User
Guide for instructions on installing and running the web-based client.

Quest Change Auditor 6.9 Installation Guide


10
Install Change Auditor
Install the first coordinator
The coordinator fulfills client and agent requests and generates alerts. Multiple coordinators can be installed in a
single forest to provide fault tolerance of the Change Auditor service tier. See Install the client.
NOTE: UDP port 389 must be open on initial installs and upgrades for the coordinator to start.

The coordinator installation creates the following components:


• The coordinator
• A coordinator system tray icon, where you can enable or disable the coordinator, display the status of the
coordinator installed on the current computer, change the database instance or service accounts used to
access the database, or specify a static port to use to communicate with the coordinator.
NOTE: See the Change Auditor User Guide for more information about the Change Auditor
coordinator system tray icon.

• Three installation-specific Active Directory security groups to enable access to the Change Auditor client
and shared overviews distributed using the Change Auditor web client.
▪ ChangeAuditor Administrators — <InstallationName>
▪ ChangeAuditor Operators — <InstallationName>
▪ ChangeAuditor Web Shared Overview Users — <InstallationName>
Where <InstallationName> is a unique name selected during the coordinator installation to isolate your
components from any other Change Auditor installation in your Active Directory forest.
NOTE: See the Change Auditor Web Client User Guide for more information about the
ChangeAuditor Web Shared Overview Users security group.

• Two SQL database roles (ChangeAuditor_Administrators and ChangeAuditor_Operators). These roles are
added to the Change Auditor database to facilitate database connections from an untrusted forest with the
least amount of privileges. The two roles allow administrators to control access to the Change Auditor
database through SQL security.

Quest Change Auditor 6.9 Installation Guide


11
Install Change Auditor
Required permissions
IMPORTANT: Minimum permissions
User account installing the coordinator:
The user account that is installing the coordinator must have permission to perform the following tasks on the
target server:
• Windows permissions to create and modify registry values.
• Windows administrative permissions to install software and stop or start services.
The user account must also be a member of the Domain Admins group in the domain where the
coordinator is being installed.
Service account running the coordinator service (LocalSystem by default):
• Active Directory permissions to create and modify SCP (Service Connection Point) objects under the
computer object that is running a Change Auditor coordinator.
• Local Administrator permissions on the coordinator server.
If you are running the coordinator under a service account (instead of LocalSystem), define a Manual
connection profile where you can specify the IP address of the server hosting the coordinator. You can
specify and select connection profiles whenever you open the Change Auditor client. See the Change
Auditor User Guide or online help for more information about defining and selecting a connection profile.
SQL Server database access account specified during installation:
Create an account that the coordinator service can use on an ongoing basis for access to the SQL Server
database. This account must have a SQL Login and be assigned the following SQL permissions:
• Must be assigned the db_owner role on the Change Auditor database
• Must be assigned the SQL Server role of dbcreator

To install the first coordinator:


NOTE: You should have received separate license files from Quest to enable the Change Auditor products
you purchased. Before you begin the installation, copy the appropriate .asc license files to the local hard
drive where you are installing Change Auditor.

1 Verify that the user account used to run the coordinator installation is at least a Domain Admin in the
domain to which the coordinator server belongs.
2 Use an existing account or create a user account in Active Directory that Change Auditor will use to access
the SQL Server.
3 Create a SQL Login for this Active Directory user account and assign the following permissions to this
login: Server role: dbcreator
4 From the member server, insert the Change Auditor DVD or if you downloaded the product from the Quest
website, run the autorun.exe file.
5 Click Install for the Install Change Auditor Coordinator option to open the Change Auditor Coordinator
Setup wizard.
6 Enter the information requested in the Coordinator Setup wizard.
Review the table for additional information. This table only covers unfamiliar information. It does not include
all the wizard screens or field descriptions.

Quest Change Auditor 6.9 Installation Guide


12
Install Change Auditor
Table 2. Coordinator Setup wizard — installing first coordinator

Product Licensing screen


Licenses Click Licenses to locate and apply a new license file or update an
existing license.
On the License Status dialog, click Browse License to locate the
Change Auditor licenses to apply.
Installation Name screen
After licensing the product, the setup wizard prompts you to enter a unique installation name to identify
the database to which the coordinator will connect.
NOTE: If you plan on installing multiple coordinators, see Install the client for more details regarding the
ChangeAuditor installation name.
ChangeAuditor Installation Enter a unique Change Auditor installation name that identifies the
Name current installation within your Active Directory environment. An
installation name is required; has a limit of 22 characters; can only
contain alphanumeric characters and underscores; and is converted to
all caps.
NOTE: Quest recommends that you use the default (DEFAULT)
installation name.
NOTE: If you entered an existing installation name, confirm that you
want to join this component to an existing installation. Click Yes to
proceed or No to reenter a unique installation name.
SQL Server Information screen
SQL Server and Instance Enter the server name or IP address (member server running the SQL
instance) and the SQL instance name for the Change Auditor
coordinator database such as, <FQDN of the SQL server>\<instance
name>.
Or browse your Active Directory network to locate the required instance.
NOTE: If you are using Windows security to access your SQL Server,
ensure that the domain user is granted access to the SQL Server.
Name of database catalog Enter the name to assign to the Change Auditor database.
NOTE: If an existing Change Auditor database is present, you should
provide a unique name for the Change Auditor database. If a database
with the name entered is found, a warning message explains the need to
provide a unique name for your new Change Auditor database. On this
warning dialog, click Cancel to specify a different database name.
Clicking OK proceeds to the Ready to Install the Program screen.
Authentication/ Credentials Use the authentication section to specify whether to use Windows
authentication or SQL authentication when communicating with the SQL
database instance. (The authentication method is set up when SQL is
installed.)
NOTE: If Windows Authentication is used to access the designated
SQL instance, a verification screen is displayed. Verify that the server
name, SQL instance name, and credentials are correct before
proceeding. Incorrect entries cause the Change Auditor coordinator
service to fail on startup.

Quest Change Auditor 6.9 Installation Guide


13
Install Change Auditor
Table 2. Coordinator Setup wizard — installing first coordinator
ChangeAuditor Administrators screen
Add the current user to the This check box is selected by default and adds the current user to the
“ChangeAuditor Administrators ChangeAuditor Administrators — <InstallationName> group.
- <InstallationName>” security Any user that is running a Change Auditor client must be added to either
group this security group or the ChangeAuditor Operators security group.
In addition, users responsible for deploying Change Auditor agents must
be a member of the ChangeAuditor Administrators group in the specified
ChangeAuditor installation.
See Add Users to Change Auditor Security Groups for more information
about these security groups and how to add more user accounts.
Specify Port Information screen
By default Change Auditor dynamically assigns communication ports to use to communicate with each
installed coordinator. However, using the port settings on this screen you can specify static SCP listening
ports to use instead.
NOTE: A zero (0) indicates that a dynamic port is being used. These port assignments can also be set
using the Coordinator Configuration Tool which is accessed by right-clicking the Change Auditor
coordinator system tray icon.
Client Port Enter the static port number for the Change Auditor client to
communicate with the coordinator.
TIP: If you are planning on installing the Change Auditor web client,
enter a static client port.
Public SDK Port Enter the static port number for external applications to access the
coordinator.
Agent Port (Legacy) Enter the static port number for legacy (5.x) Change Auditor agents to
communicate with the coordinator.
Agent Port Enter the static port number for Change Auditor 6.x agents to
communicate with the coordinator.

7 After you have entered all the requested information, click Install to start the installation process.
8 After the coordinator is installed, you can use the Quest Change Auditor autorun to install the client.
NOTE: Reboot the server if you have any other Quest solutions installed on this server.

Install the client


The client connects directly to the coordinator or to an archive database and is the user interface that provides
immediate access to key configuration change information.

To install the client:


1 On a workstation, laptop or member server, insert the Change Auditor DVD or run the autorun.exe file.

2 Select the Install Change Auditor Client option to open the Client Setup wizard.
NOTE: If Microsoft .NET 4.6.1 is not installed on the computer, an extra screen is displayed
explaining that this application was not found and the install cannot continue. Click Close to stop the
client install. Download and install the required .NET version. After .NET is successfully installed,
restart the client installation.

3 Read and accept the license agreement and click Next.

Quest Change Auditor 6.9 Installation Guide


14
Install Change Auditor
4 Quest has a Software Improvement Program to help identify and improve the features you use most.
Involvement in this program is voluntary. If you choose to participate, the following feedback is
automatically sent to Quest Software Inc.:
▪ Anonymous information about your hardware configuration.
▪ Anonymous information about how you use Change Auditor.
▪ External IP address.
Select the country where you are installing Change Auditor to see your options and click Next.
NOTE: Depending on your local, you can opt into the program or remove it from your system. You can stop
participating in the program by selecting Help | About and clearing the Participate in the Change Auditor
Software Improvement Program option.

5 Select the installation directory and click Next.


6 Select your shortcut options and click Next.
7 Click Install.
8 After the coordinator and client are installed, close the autorun program.
If you are installing multiple coordinators, install your additional coordinators now.

Install multiple coordinators


When installing multiple coordinators in your Active Directory forest, the Change Auditor installation name entered
during the coordinator installation determines if they connect to the same SQL database or to different database
installation. That is,
• If you use an existing installation name for each coordinator, these coordinators all connect to the same
SQL database installation.
• If you enter a unique installation name for each coordinator, these coordinators connect to different SQL
database installations.
A unique installation name allows you to isolate your installation of Change Auditor from any other installations of
Change Auditor in your Active Directory forest. When all Change Auditor installations are upgraded in the forest,
the installation name:
• Allows all coordinators to use your central SQL database, while ensuring no other installation’s
coordinators use your SQL database.
• Ensures that only agents in your installation connect to your coordinator. See Deploy Change Auditor
Agents.
• Ensures only users in your installation’s security groups can use the Change Auditor client to manipulate
your configuration and view your data.
TIP: Quest recommends that you install the first coordinator and client, but do not deploy agents until after
you have installed all additional coordinators required. When deploying agents, you can select which
installation to use for each of the agents.

To install more coordinators:


1 Run the autorun program (autorun.exe) on the individual member servers that are to host a coordinator.
2 On the Install page of the autorun, select the Install Change Auditor Coordinator option. Enter the
information requested in the Coordinator Setup wizard.

Quest Change Auditor 6.9 Installation Guide


15
Install Change Auditor
Review the following table for additional information. This table only covers information regarding multiple
coordinator installations. It does not include all the wizard screens or field descriptions.
Table 3. Coordinator Setup wizard — installing multiple coordinators
Product Licensing screen
Licenses Use the same license files used for the first coordinator.
NOTE: If you have installed or licensed multiple auditing modules, apply the
appropriate license for each of the installed auditing modules.
Installation Name screen
Change Auditor Enter a unique installation name to use a different database. Enter an existing
Installation Name installation name or browse to connect to an existing Change Auditor
installation.
NOTE: By selecting an existing Change Auditor installation, you are joining this
component to the specified installation. (For example multiple coordinators will
be connected to the same database and agents can connect to any of the
coordinators in this installation).
NOTE: If you entered an existing installation name, confirm that you want to join
this component to an existing installation. Click Yes to proceed or No to enter a
unique installation name.
Specify Port Information screen
By default Change Auditor dynamically assigns communication ports used to communicate with each
installed coordinator. However, using the port settings on this screen you can specify static SCP listening
ports to use.
NOTE: A zero (0) indicates that a dynamic port is being used. These port assignments can also be set
using the Coordinator Configuration Tool which is accessed by right-clicking the Change Auditor
coordinator system tray icon.
Client Port Enter the static port number for the client to communicate with the coordinator.
Public SDK Port Enter the static port number for external applications to access the coordinator.
Agent Port (Legacy) Enter the static port number to for legacy (5.x) agents to communicate with the
coordinator.
Agent Port Enter the static port number for Change Auditor 6.x agents to communicate with
the coordinator.

Quest Change Auditor 6.9 Installation Guide


16
Install Change Auditor
3
Add Users to Change Auditor
Security Groups
• Introducing Change Auditor security groups
• Add accounts to ChangeAuditor database role
• Add accounts to security groups

Introducing Change Auditor security


groups
During the coordinator installation, the following security groups are created to allow access for performing various
functions within Change Auditor:
• ChangeAuditor Administrators — <InstallationName> Group — provides access to all aspects of
Change Auditor and to deploy agents.
• ChangeAuditor Operators — <InstallationName> Group — provides access to Change Auditor except
for making configuration changes.
• ChangeAuditor Web Shared Overview Users — <InstallationName> Group — provides access to the
web client shared overviews, while restricting access to only what has been shared. See the Change
Auditor Web Client User Guide for more information about sharing overviews.
The installation name assigned during the coordinator installation is appended to these security groups. For
example, when using the default installation name, these groups are named:
• ChangeAuditor Administrators — DEFAULT
• ChangeAuditor Operators — DEFAULT
• ChangeAuditor Web Shared Overview Users — DEFAULT
Two Domain Local Security Groups are created in the same domain as the coordinator. The Group Scope can be
changed to Universal as long as the Group Names remain ChangeAuditor Administrators — <InstallationName>
and ChangeAuditor Operators — <InstallationName>.
NOTE: If the domain’s Functional Level is in Windows 2000 Mixed mode, then Local Security groups are
created on each coordinator member server.

Membership in the ChangeAuditor Administrators and ChangeAuditor Operators groups enable the client to
connect and authenticate to a coordinator; therefore, any user that is running a Change Auditor client must be
added to one of these groups. In addition, all users responsible for deploying agents must also be a member of the
ChangeAuditor Administrators group in the specified Change Auditor installation. If you are not a member of this
security group for this installation, you get an access denied error.
NOTE: If multiple coordinators are installed in a mixed mode environment, to connect to each coordinator,
you must add your user account to one of these groups on each of the member servers where the
coordinators reside.

Quest Change Auditor 6.9 Installation Guide


17
Add Users to Change Auditor Security Groups
All users running a client must also have the proper SQL credentials for accessing a Change Auditor archive
database. One way of accomplishing this would be to add the ChangeAuditor Administrators and ChangeAuditor
Operators groups into the appropriate SQL database roles which were also created during the coordinator
installation: ChangeAuditor_Administrators and ChangeAuditor_Operators.

Add accounts to security groups


During the coordinator installation process, you could add the current user to the ChangeAuditor Administrators
security group in the specified Change Auditor installation. If you selected not to add the current user during the
installation process or want to add more user accounts, use the following procedure.
To add user accounts to security groups:
Use the Active Directory Users and Computers MMC snap-in to add the appropriate user accounts to one of the
Change Auditor groups:
1 Open the Active Directory Users and Computers snap-in.
2 Connect to the domain where the coordinator was installed.
3 Right-click and select Properties on the group called ChangeAuditor Administrators — <InstallationName>
or ChangeAuditor Operators — <InstallationName>.
4 Select the Members tab.
5 Click Add and browse to the appropriate user object.
6 Click OK to close the Active Directory Users and Computers snap-in.
7 To apply this change, log out and back in.
Adding the appropriate users to one of these groups allow the client to successfully connect to the coordinator.

To add user accounts to security groups (Domain in Windows 2000 mixed mode):
Use the Microsoft Computer Management tool to add the appropriate user accounts to one of the Change Auditor
groups:
1 From the member server where the Change Auditor coordinator is installed, right-click My Computer and
select Manage.
2 From the Computer Management dialog, expand Local Users and Groups and select Groups.
3 Right-click and select Properties on the group called ChangeAuditor Administrators — <InstallationName>
or ChangeAuditor Operators — <InstallationName>.
4 Click Add and browse to the appropriate user object.
5 Click OK to close the Computer Management tool.
6 To apply this change, log out and back in.
Adding the appropriate users to one of these groups allow the client to successfully connect to the coordinator.

Quest Change Auditor 6.9 Installation Guide


18
Add Users to Change Auditor Security Groups
Add accounts to ChangeAuditor
database role
NOTE: This process only applies to archive databases and must be modified each year to apply to the new
archive for that year

To add accounts to the ChangeAuditor database role:


Use the Microsoft SQL Management Studio to add the appropriate user or group accounts to one of the
ChangeAuditor database roles:
1 Open the Microsoft SQL Server Management Studio and connect to the SQL database server.
2 Navigate to the <SQL Server(Instance)> | Security | Logins directory. Expand the Logins node.
3 Right-click the Logins node and select New Login.
4 On the Select User or Group dialog, click Object Types and make sure that the Groups check box is
selected. Click Location to search either the Entire Directory or local SQL server (depending on where the
group was created, which is determined by the domain functional level). Click Check Names to select the
user or group account (for example, ChangeAuditor Administrators) to be added.
5 In the Select a Page pane (left pane), select User Mapping.
6 In the Users mapped to this login pane (top pane), select the Change Auditor database.
7 In the bottom pane, Database role membership for: ChangeAuditor, select the
ChangeAuditor_Administrators role.
8 Click OK. Your SQL Login account for Change Auditor database access is now mapped to the appropriate
role.
Repeat these steps to create a SQL Login for the ChangeAuditor Operators group and assign this login to
the ChangeAuditor_Operators role for the Change Auditor database.

Quest Change Auditor 6.9 Installation Guide


19
Add Users to Change Auditor Security Groups
4
Connecting to the Clients
• Connect to the client
• Open the web client
• Access product information

Connect to the client


The following conditions must be met to properly connect:
• Communications are successful, meaning the coordinator service is running and has a valid SCP listening
port (no firewall implications). If this condition fails, the client displays an error dialog stating the appropriate
issue.
• The current authenticated user running the client has the proper credentials for accessing the coordinator
service. If this condition fails, the client displays the Coordinator Credentials Required dialog where you
can enter the proper login credentials to access the coordinator.
• The current authenticated user is a member of either the ChangeAuditor Administrators or ChangeAuditor
Operators AD group. If this condition fails, the Change Auditor logon screen displays an error and allows
you to enter the appropriate credentials.
• When using a direct database connection, the current authenticated user running the client has the proper
SQL credentials for accessing the SQL database. If this condition fails, the client displays the Database
Credentials Required dialog where you can enter the proper logon credentials to access the SQL
database.

To open the client


1 Select Start | All Programs | Quest | Change Auditor | Change Auditor Client.
The Connection screen opens where you can connect to the ‘default connection’ profile or define or specify
a different connection profile.
A connection profile defines the connection method used to connect to a coordinator in trusted or untrusted
forests, or to the database directly without connecting with the coordinator. See Manage Connection
Profiles in the Change Auditor User Guide for more information about defining connection profiles.
2 Initially, select Connect to use the default connection profile.
After you have defined alternate connection profiles, select the appropriate profile from the drop-down list
and click Connect.
3 If you do not have the proper credentials required for access, the credentials dialog opens allowing you to
enter the required credentials.
Depending on how your system has been configured, you must enter a user account and password or a
smart card certificate and personal identification number.
4 You are now ready to deploy agents. See Deploy Change Auditor Agents for details.

Quest Change Auditor 6.9 Installation Guide


20
Connecting to the Clients
Open the web client
The web client enables you to perform administrative tasks, search for configuration changes and view Change
Auditor data using a web browser rather than the Change Auditor client.
NOTE: The web client’s appearance is different based on whether you have started it using a standard
browser or a mobile browser. The procedures in this guide illustrate the standard browser version of the web
client.

NOTE: Upgrading the web client


After you have upgraded the web client, you may need to force your browser to reload the Change Auditor
web pages from the web server (CTRL-F5 for IE, Chrome ,or Firefox) to ensure you are seeing the most up-
to-date changes made to style components within the web client (for example, icons, text or images). See
the documentation for your browser for further details.

To open the web client:


1 Open your web browser and enter the URL of the web application server.

http://<Web Server Host Name>/ChangeAuditor


NOTE: If you specified a different default port (other than 80) on the Internet Information Services
screen of the setup wizard, you must also enter the default port specified:
http://<Web Server Host Name>:<Port>/ChangeAuditor

2 When the web client is opened, log on by entering the user name (<Domain>\<UserName>) and password
of an authorized Active Directory account.
NOTE: Selecting the Remember Me check box retains your <Domain>\<UserName> on
subsequent sessions.

3 Click Log In.

Access product information


The first time the client is opened, the Start page provides access to news and updates, support, and knowledge
base content, online documentation, links to the latest releases, and essential contact links.
If you do not want to see this page each time that you open the client, then clear the Display this page each time
I log in option. One this option has been cleared, the next time you log in you will be directed automatically to the
Overview page. However, Quest suggest you keep the Start page active as it contains the most up-to-date access
to the supporting information you may require.

Quest Change Auditor 6.9 Installation Guide


21
Connecting to the Clients
5
Deploy Change Auditor Agents
• Change Auditor agents
• Deploy agents

Change Auditor agents


Once you have installed the coordinators and client, you are ready to deploy agents to the servers and
workstations.
NOTE: If you have not added the appropriate user accounts to either the ChangeAuditor Administrators or
ChangeAuditor Operators group, you are denied access to the coordinator when you open the client. See
Add Users to Change Auditor Security Groups for more information about these security groups and SQL
database roles.

Quest recommends that you deploy a server agent to all servers (domain controllers and member servers) to track
configuration changes in real time. For workstations, deploy a workstation agent to only those that you want to
monitor for login activity. See Agent behavior notes for information about how the different types of agents connect
to the coordinators in your environment and the limits set for agent connections.
When a change is made on a server running an agent, the change information (audited event) is captured and
forwarded to the specified database.
NOTE: The agent database supports up to 3 GB. After the database size reaches this limit, no new events
are audited and the ‘Agent service has reached a critical load’ event is generated. This typically occurs when
an agent is disconnected from a coordinator for an extended period.

NOTE: See the Installation Notes and Best Practices for notes on deploying agents for Change Auditor for
Exchange and Change Auditor for Authentication Services.

NOTE: To install Change Auditor agents to monitor ADAM (AD LDS) instances on workgroup servers, run
the agent installer package (Quest Change Auditor Agent 6 (x64)).msi. See Install an agent to audit ADAM
(AD LDS) on workgroup servers for details.

NOTE: When you are using Active Roles, there is an extra integration step that you can take to capture the
user who initiated the change. See Active Roles Integration.

The Deployment page in the client displays all the servers and workstations discovered in your Active Directory
environment. From here, you specify the servers (and workstations) to host an agent. For a description of the
Deployment page, see the online help or Change Auditor User Guide.
NOTE: The Deployment page does not display nonmember objects, such as ADAM workgroup servers or
nondomain workstations, because agents cannot be deployed to non-member objects using the Deployment
tab. See Install an agent to audit ADAM (AD LDS) on workgroup servers for more information about
manually installing agents to workgroup servers. See Workstation Agent Deployment for more information
about manually installing agents to non-domain workstations.

Quest Change Auditor 6.9 Installation Guide


22
Deploy Change Auditor Agents
Deploy agents
IMPORTANT: Minimum permissions
The Agent Deployment wizard runs under the security context of the currently logged on user account.
Therefore, you must have administrative authority to install software on every target computer. You must be
a Domain Admin in every domain that contains servers that you are targeting for installation.
If you are targeting domain controllers only, membership in the Enterprise Admins group grants you
authority to all domain controllers in the forest.
All users responsible for deploying agents must be a member of the ChangeAuditor Administrators group in
the specified Change Auditor installation. If you are not, you get an access denied error.

Starting with Change Auditor 6.9, you cannot install an agent on the following Operating Systems: Windows 2003
SP2, Windows 2003 R2, or Windows 2008 SP2. During an agent install, if one of these operating systems is
detected, the latest version of the agent that supports the operating system is installed.
For example, when you install an agent on a Windows 2012 server, the 6.9 agent is deployed. When you deploy
an agent on a Windows 2008 SP2 server, the latest 6.8 agent is installed.
The following procedures step you through the process of deploying agents. See the Change Auditor User Guide
for procedures on using the advanced options and setting up auto deployment of new servers.

To deploy agents:
1 Verify that the user account you are using to deploy agents is at least a Domain Admin in every domain
that contains servers or workstations where agents will be deployed.
2 Verify that the user account is a member of the ChangeAuditor Administrators group in the specified
Change Auditor installation.
3 Open the client. If agents have not yet been deployed, select the Deployment tab. Otherwise, use View |
Deployment.
The Deployment page is populated with the servers (domain controllers and member servers) and
workstations in your Active Directory environment.
NOTE: The Deployment page may initially be empty until the current forest’s server topology has
been initially harvested. Topology scan takes a long time when the environment contains many
workstations. This page is automatically refreshed after this task has completed.

4 From this list, select an entry and select Credentials | Set to enter the proper user credentials for installing
agents on the selected domain.
On the Domain Credentials dialog, select the domain from the list and click Set. On the Logon Credentials
dialog, enter the credentials of a user with administrator rights on the selected domain.
5 After entering the proper credentials, select the entry back on the Deployment page and select Credentials
| Test. If you get a Valid Creds status in the Deployment Result column, you can start deploying agents to
that domain.
If you get a Logon Failure status in the Deployment Result column, use the Credentials | Set command
to enter the proper credentials for installing agents.
6 By default, the Change Auditor agent folders (Agent, Systray) are installed to
%ProgramFiles%\Quest\ChangeAuditor\. You can, however, change the location of the installation folder
by clicking Advanced Options.
7 Select one or more servers or workstations on the Deployment page and click Install or Upgrade.
8 On the Install or Upgrade dialog select one of the following options to schedule the deployment task:
▪ Now (default)
▪ When
If you select the When option, enter the date and time when you want the deployment task to initiate. Click
OK to initiate or schedule the deployment task.

Quest Change Auditor 6.9 Installation Guide


23
Deploy Change Auditor Agents
Back on the Deployment page, the Agent Status column displays ‘Pending’ and the When column
displays the date and time specified.
NOTE: To cancel a pending deployment task, select the server or workstation and then click Install
or Upgrade. On the Install or Upgrade dialog, click Clear Pending.

9 As agents are successfully connected to the coordinator, the corresponding Deployment Result cell
displays ‘Success’, the Agent Status cell displays ‘Active’ and a desktop notification displays in the lower
right-hand corner of your screen.
NOTE: To deactivate these desktop notifications, select Action | Agent Notifications.

Once agents are deployed and you open the client, the Overview page opens and provides a real-time
stream of events based on a ‘favorite’ search definition and other summary information.
NOTE: After the deployment, the Version cell might display a previous version of an agent if you
installed the agent on an unsupported platform.

Quest Change Auditor 6.9 Installation Guide


24
Deploy Change Auditor Agents
6
Upgrade Change Auditor
This section contains information about upgrading Change Auditor. Before proceeding with an upgrade, read the
following information carefully and consider all steps that apply to your deployment.
You can upgrade to Change Auditor 6.9 from the following upgrade paths.
Table 4. Available upgrade paths

Upgrade from... Details


Change Auditor 6.0, 6.5, 6.6, 6.7, You can upgrade directly to version 6.9.
6.8 If the 6.9 upgrade cannot proceed because 5.x events are still present in
the database, upgrade to 6.8 first to complete the upgrade of the 5.x
events, then upgrade to 6.9. Ensure that upgrade of the 5.x events has
fully completed before you upgrade to 6.9.
Change Auditor 5.9 or below You cannot upgrade directly to version 6.9. You must upgrade to 6.8 first.

• Pre-upgrade considerations
• Upgrade Change Auditor
• Post upgrade considerations

Pre-upgrade considerations
Review these special considerations before running an upgrade.

Services using Change Auditor SDK


Stop any services that use the Change Auditor SDK, such as Active Roles or GPOADmin, before starting the
upgrade process.

Server collation differences


Starting with Change Auditor 6.0, on the coordinator startup the database collation is checked against SQL server
collation. If they are different, the coordinator stops and logs the “Database collation differs from server collation”
warning. If it is not possible to update collation of the SQL server, use the AllowCollationSwitch registry key to
allow proceeding with rebuilding Change Auditor database according to the new collation. However, using this in
environment with large number of events in the database significantly increases the load on SQL server. See the
Change Auditor Technical Insight Guide for more information about setting this registry key.

Upgrading Change Auditor agents on high volume Exchange servers


It is critical that Change Auditor for Exchange agent upgrades be scheduled for maintenance intervals or other
periods of low user mailbox activity for any configuration of Exchange Server. Change Auditor for Exchange agent
upgrades should not be attempted on an active Exchange Server cluster node in any case. Attempting to upgrade
the agent on a busy Exchange Server may result in:
• Exchange 2010 client access role: failed agent upgrade, unwanted RpcClientAccess service restart, or
unscheduled Exchange cluster node failover

Quest Change Auditor 6.9 Installation Guide


25
Upgrade Change Auditor
• Exchange 2013 mailbox role: failed agent upgrade, unwanted RpcClientAccess service restart, or
unscheduled Exchange cluster node failover
• Exchange 2010 or 2013 client access role: unwanted IIS Exchange application pool restarts.
To eliminate the possibility of unscheduled Exchange Server downtime, perform agent upgrades to Exchange
Servers during periods of low or no mailbox activity. When upgrading agents on busy Exchange Servers, it is also
recommended that you manually stop the agent before upgrading to avoid a possible timeout on the stop
command. Verify that the Change Auditor agent service is stopped on the Exchange Server before proceeding
with the agent upgrade.

Alert Configuration (Evaluation Frequency)


This setting is no longer available. If you want to reduce the amount of email produced from alert-enabled
searches, you must set the "AlertScanPeriod" registry key setting on the coordinator computer:
HKLM\SOFTWARE\Quest\ChangeAuditor\Coordinator
Value: AlertScanPeriod
Type: DWORD
Default value: 60 seconds
Description: Specifies the time interval between generating alerts.

Upgrade Change Auditor


To ensure success, upgrade the Change Auditor components in the following order:
• Step 1: Upgrade all coordinators (and database schema)
• Step 2: Upgrade all clients
• Step 3: Upgrade the agents

Step 1: Upgrade all coordinators (and database


schema)
NOTE: During an upgrade of the first coordinator, the Change Auditor database is upgraded. Before
proceeding with the coordinator upgrade, backup the database.

To upgrade all coordinators (and database schema):


1 Stop all coordinators.
2 Log on to the coordinator server to upgrade and run the autorun.exe file.
3 On the Install page, click Install for the Install Change Auditor Coordinator option to invoke the
Coordinator Setup wizard.

4 Follow the Change Auditor Coordinator Setup wizard.


NOTE: If you are upgrading from Change Auditor 6.0, 6.5, 6.6,6.7 or 6.8 you do not require new
licenses, and can click through the Product Licensing screen.
If you purchased additional Change Auditor products (such as Change Auditor for SharePoint), apply
this new license as well. New product licenses can be applied now or later using the Change Auditor
License Manager (Start | All Programs | Quest | Change Auditor | License Manager).

5 After the Change Auditor Coordinator Setup wizard has successfully finished, wait until the coordinator
goes from an ‘Initializing’ status to a ‘Running’ status. To determine the coordinator’s status, right-click the
Change Auditor coordinator system tray icon and select the Coordinator Status option.

Quest Change Auditor 6.9 Installation Guide


26
Upgrade Change Auditor
6 Continue to upgrade the remaining coordinators one at a time following steps 2 to 4.

Step 2: Upgrade all clients


To upgrade a client:
1 From a workstation, laptop, or member server, run the autorun.exe file.
2 On the Install page, click Install for the Install Change Auditor Client option to start the Client Setup
wizard.
3 Follow the Change Auditor Client Setup wizard.
See Install the client for more detailed information about the Client Setup wizard.

To upgrade a Change Auditor web client:


1 On the IIS server, run the autorun.exe file.
2 On the Install page, click Install for the Install Change Auditor Web Client option to start the Change
Auditor Web Client Setup wizard.
3 Follow the Change Auditor Web Client Setup wizard.
See the Change Auditor Web Client User Guide for more detailed information about the Change Auditor
Web Client Setup wizard.

Step 3: Upgrade the agents


NOTE: Previous versions of Change Auditor agents (5.8, 5.9, 6.0, 6.5, 6.6, 6.7, and 6.8 can connect and
work with the new Change Auditor 6.9 coordinator and client. Direct upgrades to 6.9 are supported from
versions 6.0, 6.5, 6.6, 6.7, and 6.8.

The Change Auditor 6.9 agent requires .NET 4.5.2. See the System statistics and facilities system requirements
for the list of supported platforms.
Starting with Change Auditor 6.9, the Change Auditor agent cannot be installed on the following Operating
Systems: Windows 2003 SP2, Windows 2003 R2, or Windows 2008 SP2. During agent upgrade, if one of these
operating systems is detected, the latest version of the Change Auditor agent that supports the operating system
is installed.
For example, when you upgrade a 6.7 agent with Change Auditor 6.9 on a Windows 2012 server, the 6.9 agent is
deployed. When you upgrade a 6.7 agent with Change Auditor 6.9 on a Windows 2008 SP2 server, the upgrade is
to the latest 6.8 agent.
If you are upgrading a 6.8 agent on an unsupported platform, the agent is upgraded to a newer 6.8 agent if it
determines that the deployed 6.8 agent is older than the 6.8 agent that is included with 6.9.

To upgrade Change Auditor agents:


1 Open the client and select View | Deployment.
2 Select the agents to upgrade and click Install or Upgrade.
NOTE: If you get an Access Denied status in the Deployment Results column, use the Credentials
| Set command to enter the proper credentials for installing agents.

3 Select one of the following options to schedule the deployment task:


▪ Now (default)
▪ When

Quest Change Auditor 6.9 Installation Guide


27
Upgrade Change Auditor
If you select the When option, enter the date and time when you want the deployment task to initiate. Click
OK to initiate or schedule the deployment task.

Post upgrade considerations


Querying the Change Auditor database directly is not
supported
Querying the database directly is not supported. Any 5.x scripts previously created to manipulate the 5.x (or
earlier) events do not work with Change Auditor 6.9.

Data gateway service


The Data Gateway Service is no longer used in Change Auditor for capturing user logon activity events. If you had
an earlier version of this service running, you can remove it.

Active Roles integration


If the Active Roles scripting module has been deployed in a previous Change Auditor version, refer to the following
knowledge base article which details the process to move to the updated version of these scripting modules that
are available in Change Auditor 6.x: https://support.quest.com/change-auditor/kb?k=119136

Exchange Online auditing templates


When you upgrade the client and coordinator from Change Auditor version 6.8 or earlier:
• Previously created Exchange Online auditing templates are deleted from the database and no longer
display in the client.
• Agents previously assigned to audit Exchange Online stop auditing the tenant.
NOTE: You can still search and report on previously captured events. All legacy events are shown in the
Office 365 subsystem, or Office 365 Exchange Online Mailbox and Office 365 Exchange Online
Administration facilities.

To capture new events and avoid losing any audited activities after an upgrade:
1 Upgrade an existing agent to version 6.9.
2 Create an Office 365 auditing template.

Quest Change Auditor 6.9 Installation Guide


28
Upgrade Change Auditor
7
Installation Notes and Best
Practices
This section contains notes and best practices that should be considered when installing Change Auditor. These
notes and best practices are listed under the following topics:
• Licensing Change Auditor products
• Permissions
• Other installation notes
• Change Auditor for Windows File Servers
• Change Auditor for Exchange
• Change Auditor for Authentication Services
• Change Auditor for SharePoint
• Backup notes
• Agent behavior notes
• Client notes
• ADAM (AD LDS) auditing
• Change Auditor for SQL Server — SQL auditing

Licensing Change Auditor products


Upgrading Change Auditor
You can upgrade to Change Auditor 6.9 from the following versions of Change Auditor: 6.0, 6.5, 6.6, 6.7, 6.8. If you
are upgrading, you do not require new Change Auditor 6.9 licenses.
NOTE: The Change Auditor for Lync license has been deprecated. You must obtain and import a new
Change Auditor for Skype for Business license file to continue auditing Skype for Business and Lync 2013.

Applying licenses for multiple Change Auditor products


If this is a new installation (not an upgrade), you require new Change Auditor 6.x licenses. The following Change
Auditor products all require separate licenses which can be applied during the coordinator installation process:
• Change Auditor for Active Directory
• Change Auditor for Exchange
• Change Auditor for Windows File Servers
• Change Auditor for SQL Server

Quest Change Auditor 6.9 Installation Guide


29
Installation Notes and Best Practices
• Change Auditor for Active Directory Queries
• Change Auditor for EMC
• Change Auditor for NetApp
• Change Auditor for Authentication Services
• Change Auditor for Defender
• Change Auditor for SharePoint
• Change Auditor for Logon Activity User (captures login activity on monitored server agents)
• Change Auditor for Logon Activity Workstation (captures login activity on monitored workstation agents)
• Change Auditor for Skype for Business
If you are licensing multiple Change Auditor products, you can apply the licenses in any order but must apply all
the licenses provided.

Applying licenses after initial installation


If you purchased more Change Auditor products after the initial installation, you can use the Change Auditor
License Manager to apply these new Change Auditor product licenses.
1 From the member server where the coordinator is installed, select Start | All Programs | Quest | Change
Auditor | License Manager.
2 From the About Change Auditor dialog, click Update License to locate, and apply the new product
licenses.

3 After applying new product licenses, restart the agents to capture the new events.
NOTE: When applying a new or updated license to a running coordinator (using CALicense.exe in the
ChangeAuditor Service installation directory), it can take up to 24 hours for the new license to deploy to the
connected agents. To deploy the license immediately, stop and restart the coordinator. This restart does not
interrupt event collection by the agents.

Permissions
Coordinator required permissions
User account performing the coordinator installation:
The user account installing the coordinator needs permission to perform the following tasks on the target server:
• Windows permissions to create and modify registry values.
• Windows administrative permissions to install software and stop/start services.
The user account performing the installation, must be a member of the Domain Admins group in the domain
where the coordinator is being installed.
Service account running the coordinator service (LocalSystem by default):
• Active Directory permissions to create and modify SCP (Service Connection Point) objects under the
computer object running a coordinator.
• Local Administrator permissions on the coordinator server.
If you are running the coordinator under a service account (instead of LocalSystem), define a Manual connection
profile where you can specify the IP address of the server hosting the coordinator. You can specify and select
connection profiles whenever you start the client. See the Change Auditor User Guide or online help for more
information on defining and selecting a connection profile.

Quest Change Auditor 6.9 Installation Guide


30
Installation Notes and Best Practices
SQL Server database access account specified during installation:
An account must be created to be used by the coordinator service on an ongoing basis for access to the SQL
Server database. This account must have a SQL Login and be assigned the following SQL permissions:
• Must be assigned the db_owner role on the Change Auditor database
• Must be assigned the SQL Server role of dbcreator

Required permissions for deploying agents


The Agent Deployment wizard runs under the security context of the currently logged on user account. Therefore,
you must have administrative authority to install software on every target machine. This means you must be a
Domain Admin in every domain that contains servers that you are targeting for installation.
If you are targeting domain controllers only, membership in the Enterprise Admins group will grant you authority
to all domain controllers in the forest.
All users responsible for deploying agents must also be a member of the ChangeAuditor Administrators group in
the specified Change Auditor installation. If you are not a member of this security group for this installation, you will
get an access denied error.

Required permissions to deploy agents using the Windows


Installer (MSIEXEC.exe)
The user account used to install the agent by running the Windows Installer directly on the domain controller or
member server or workgroup server or workstation needs permissions to perform the following tasks on the server:
• Windows permissions to create and modify registry values.
• Windows administrative permissions to install software and start or stop services.

Required SQL permissions needed for coordinator and


SQL Change Auditor database communications
The Change Auditor coordinator's supplied SQL login credentials (SQL or Windows) need the Database Owner
(DBO) permission to the database in the SQL instance.

Other installation notes


Stopping MMC modules
Certain MMC modules disrupt or hinder the addition or removal of services, therefore, MMC modules can not be
running (directly on the server or in a Terminal Services session) when installing or uninstalling Change Auditor.
Stop the MMC files before installing or uninstalling Change Auditor.

Event Log Viewers in Windows 2008 (and higher)


environments
Before installing or upgrading the coordinators or server agents, Quest recommends to close all Event Log
Viewers. If a user has an Event Viewer open and opens a Change Auditor event log to load and display a
message, the Windows EventLog locks the event message DLL which can cause the Windows Installer Restart
Manager to restart dependent services.

Quest Change Auditor 6.9 Installation Guide


31
Installation Notes and Best Practices
Microsoft .NET framework
Microsoft .NET 4.6.1 framework is required in the Change Auditor coordinator, client, and web client. .Net 4.5.2 is
the minimum supported for agents (server and workstation). If you try to install these components on a computer
with an earlier version, the installation fails and you are notified that a newer version is required. To verify that you
are running the appropriate version of Microsoft’s .NET framework, use Add or Remove Programs.
NOTE: Links to the .NET 4.5.2 and 4.6.1 framework are available in Change Auditor’s Autorun.exe
redistributables.

Component installation order


Quest recommends installing the Change Auditor components in the following order:
• Database (SQL Server) - Make sure the SQL server you are going to use is available and the installation
account has SQL Server role as dbcreator. If you want to host the Change Auditor database on a SQL
instance other than the default instance of the selected SQL Server, create the new instance before
running the installer.
NOTE: The database name must not include embedded spaces, special characters, or
supplementary characters are also not allowed. For more details, see Microsoft’s database identifier
documentation.

• Coordinator - Install the coordinator. When prompted, specify the SQL server you are going to use and the
installation account. The Change Auditor database is created remotely on this server during the installation.
• Client - Once you have confirmed that the coordinator is functioning correctly, install the client.
TIP: Quest recommends that you install the first coordinator and client, but do not deploy agents until
after you have installed all of the additional coordinators required. When deploying agents you can
select which installation is to be used for each of the agents.

NOTE: During the coordinator installation, you can add the current user to the ChangeAuditor
Administrators security group. If you selected not to add the current user during the installation
process or want to add additional user accounts to the Change Auditor security groups, you need to
add them prior to launching the Change Auditor client. Quest also recommends that you then add
these security groups to the appropriate SQL database role (i.e., ChangeAuditor Administrators -
<InstallationName> group to the ChangeAuditor_Administrators role and ChangeAuditor Operators -
<InstallationName> group to the ChangeAuditor_Operators role). See Add Users to Change Auditor
Security Groups in the Change Auditor Installation Guide.

• Agents - Start the client to deploy agents to your domain controllers and member servers. Also, if you have
the Change Auditor for Logon Activity Workstation auditing module licensed, deploy agents to the domain
workstations to be monitored for logon activity.
• Web-based client — Optionally, install the web client on the IIS web server to allow users access to
Change Auditor data through a standard or mobile browser. See the Change Auditor Web Client User
Guide for information about installing and using the web client.

Deploying Change Auditor agents


For a complete and comprehensive Active Directory change auditing solution, Quest recommends deploying
agents to every server in the forest.
For best results in capturing Group Policy changes, Quest recommends installing an agent on the domain’s PDC
operations master role holder.

Security groups
During the coordinator installation, three installation-specific security groups are created in the domain where the
member server hosting a coordinator resides.

Quest Change Auditor 6.9 Installation Guide


32
Installation Notes and Best Practices
• ChangeAuditor Administrators — <InstallationName> Group — provides access to all aspects of
Change Auditor and to roll out Change Auditor agents.
• ChangeAuditor Operators — <InstallationName> Group — provides access to Change Auditor except
for making configuration changes.
• ChangeAuditor Web Shared Overview Users — <InstallationName> Group — provides access to the
Change Auditor web client shared overviews, while restricting access to only what has been shared. See
the Change Auditor Web Client User Guide for more information about sharing overviews.
Where <InstallationName> is a unique name selected during the coordinator installation to isolate your
components from any other Change Auditor installation in your Active Directory forest.
Add your user account to either the ChangeAuditor Administrators or ChangeAuditor Operators group before
running the client. If multiple coordinators are installed in a mixed mode environment, to connect to each
coordinator, add your user account to one of these groups on each of the member servers where a coordinator
resides.
In addition, users responsible for deploying agents must also be a member of the ChangeAuditor Administrators
group in the specified Change Auditor installation.
During the coordinator installation, you are presented with the option to add the current user to the ChangeAuditor
Administrators security group. If you selected not to do this during the coordinator installation process or you want
to add more user accounts, add your user account (and any other appropriate user accounts) to one of the
Change Auditor security groups before running the client.
See Add Users to Change Auditor Security Groups for more detailed information about the security groups that are
created when the coordinator is installed.
NOTE: When the first foreign workstation agent is manually installed, a ChangeAuditor Agents -
<InstallationName> security group is created. User accounts must be added to this security group to
properly authenticate.

Change Auditor for Windows File


Servers
Change Auditor for Windows File Server agents may fail to provide “Origin” information if remote users are already
connected during an agent installation or upgrade. To resolve this issue, restart the server as soon as possible
after an agent installation or upgrade.

Change Auditor for Exchange


Agent deployment
High volume Exchange Servers. Agent processing of large Exchange auditing and protection configurations
may slow down initial user login access or cause timeouts if many user logins are occurring at the same time. To
avoid this issue, Quest recommends that the following actions be performed during maintenance intervals or other
periods of low user mailbox activity:
• Change Auditor Exchange agent deployment
• Change Auditor Exchange agent upgrade
• Change Auditor Exchange Mailbox auditing or protection configuration changes
Before the system returns to a normal load, one user should log in to Outlook Web Access (OWA), Outlook, and
Exchange Web Services (EWS, Outlook for Mac) clients. This triggers the Change Auditor agent to process
Exchange Mailbox auditing and protection configuration changes when the fewest logins are occurring.

Quest Change Auditor 6.9 Installation Guide


33
Installation Notes and Best Practices
Exchange 2010/2013/2016. Exchange 2010/2013/2016 stores its configuration data in Active Directory, and
installing Change Auditor agents on the domain controller captures all these change actions. However, starting
with Exchange 2010, Microsoft rearchitected how they process configuration changes. Therefore, in order for
Change Auditor for Exchange to retrieve the correct ‘who’ information for these Active Directory based events it
now audits Windows PowerShell. So you can:
• Deploy an agent to all Active Directory domain controllers in the forest. However, the ‘who’ value is missing
(reported as the Exchange server computer account) from all the Exchange 2010/2013/2016 Active
Directory based events.
• Depending on the Exchange version you are running, deploy an agent to Exchange servers as described
below. This captures the correct ‘who’ value for many of the Exchange 2010/2013/2016 Active Directory
based events, but not all Exchange 2010/2013/2016 events are being audited in this scenario.
▪ Exchange 2010: Deploy an agent to all Exchange 2010 CAS role servers.
▪ Exchange 2013/2016: Deploy an agent to all Exchange 2013/2016 servers with the Mailbox role.
• Recommended: Deploy an agent to all Active Directory domain controllers and to all required Exchange
servers. However, duplicate events are generated for Exchange Active Directory events: one from the
agent auditing attribute changes on a domain controller (contains no ‘who’ value) and one from the new
agent auditing PowerShell on an Exchange server (contains the correct ‘who’ value).
To capture Exchange mailbox access events:
• Exchange 2010: Deploy an agent to all Exchange 2010 CAS role servers.
• Exchange 2013/2016: Deploy an agent to all Exchange 2013/2016 Mailbox role servers.
Deploy agents to all Exchange Servers. When a Change Auditor 5.6 (or higher) agent is deployed on Exchange
Server, it automatically enables the scripting extension in Active Directory. This is a forest-wide setting and applies
to all Exchange servers in the Exchange organization. This extension requires that the ScriptingAgentConfig.xml
file be present in the Exchange Server folder; otherwise, Exchange management tools display error messages
each time the Scripting Agent cmdlet runs. The Change Auditor 5.6 (or higher) agent automatically creates the
required ScriptingAgentConfig.xml file in the Exchange Server folder if one is not already present. Therefore, it is
highly recommended that an agent be installed on all Exchange servers to ensure that all servers are using the
same scripting agent.

NOTE: If the scripting agent was not enabled on your Exchange servers before deploying agents, you
should perform backups of your Exchange servers in accordance with your company’s disaster recovery
plan once you have successfully deployed agents to all your Exchange servers.
If you need to restore your Exchange servers and they were NOT backed up after you deployed agents that
enabled the scripting agent, you will need to disable the CmdletExtensionAgent BEFORE recovering your
Exchange 2010/2013/2016 servers.

If Change Auditor cannot be installed on all your Exchange servers, use the following procedure on all Exchange
servers where an agent is not yet deployed:
1 Create an empty ScriptingAgentConfig.xml file under the following directory:
%ProgramFiles%\Microsoft\Exchange Server\V14\Bin\CmdletExtensionAgents\
Enter the following text into this ScriptingAgentConfig.xml file:
<?xml version="1.0" encoding="utf-8"?>
<Configuration version="1.0"/>
2 Save and close the file.
Exchange cluster node servers. When deploying or upgrading agents on Exchange cluster node servers, use
the following recommended procedure:
1 Deploy or upgrade the agent on the passive Exchange cluster nodes.
2 Perform a scheduled fail-over on the active cluster nodes.
3 Then deploy or upgrade the agent on the newly passive cluster nodes.

Quest Change Auditor 6.9 Installation Guide


34
Installation Notes and Best Practices
If you find the need to deploy or upgrade an agent on an active cluster node, schedule the deployment
during low-utilization periods. A visual check of the server utilization to ensure that utilization is below 20%
should be sufficient.

BlackBerry Enterprise Server (BES) service


To eliminate auditing of automated tasks, the Change Auditor agent attempts to automatically exclude auditing of
mailbox accesses by Blackberry® Enterprise Server (BES) or similar service accounts. These accounts have both
‘Receive All’ and ‘Administer Information Store’ rights on the mailbox database. If these explicit rights are granted
to user accounts, those accounts are excluded from mailbox auditing, which may not be desired. If necessary, this
automated exclusion can be disabled on a server-by-server basis. Contact Quest Technical Support for additional
information.

Exchange 2003— Not supported


Beginning with Change Auditor 6.5, Exchange 2003 is no longer supported. If you have an Exchange 2003
environment that you want to continue auditing, do NOT upgraded to Change Auditor 6.5 (or higher).

SMTP authentications and alerts on Exchange


Exchange versions 2007 and above denies authentication to all well-known accounts, including ‘Administrator’.
Use Hub Transport servers to allow SMTP email to go through. This references the setting for My Server
Requires Authentication on the SMTP Configuration pane on the Coordinator Configuration page
(Administration Tasks tab) in the Change Auditor client. It may also be necessary to configure more Transport
settings (authentication and permissions) to allow email relay from the Change Auditor coordinator machine to
receive SMTP alerts.

Microsoft Outlook 2000 and 2002 — Not supported


Change Auditor for Exchange does not support Microsoft Outlook 2000 or 2002.

Change Auditor Exchange Server monitoring and Outlook


cached mode
For improved performance, Outlook offers an option to ‘cache’ requests to Exchange Server. This option is
enabled by default when you configure an email account for Exchange Server. To disable this setting, select the
Outlook Tools | Account Settings menu command, open the E-mail tab and click Change, and then clear the
Use Cached Exchange Mode check box on the Microsoft Exchange Settings dialog.
While Change Auditor Exchange monitoring events closely track user input in non-cached Outlook and Outlook
Web Access clients, this is not the case with cached-mode Outlook.
User activity in cached-mode Outlook can provide complex results with Change Auditor Exchange monitoring; the
timing and order of Exchange requests is not obvious or intuitive.
A few of the effects you will see when monitoring an Outlook cached connection to Exchange Server include:
• Cached-mode Outlook frequently defers message copy, move and delete requests until seconds or even
minutes later.
• When opening cached-mode Outlook, several folders may be ‘opened’ at the same time. Outlook
examines all folders with recent changes at startup.
• When opening cached-mode Outlook or selecting a different mail folder, several message read events may
occur at the same time. Outlook reads all new Inbox messages as they become available (independent of
user activity) and then keeps local copies for reading.

Quest Change Auditor 6.9 Installation Guide


35
Installation Notes and Best Practices
• When opening messages that have previously been read (or selecting messages with the preview pane
enabled) you will not see a ‘message read’ event. Since cached-mode Outlook keeps local copies of the
messages they never need to be read from the server again, even after closing and re-starting Outlook.
The original read from the server does produce a ‘message read’ event.
• When deleting messages (moving them to the Deleted Items folder), instead of ‘message deleted and
moved to the Deleted Items folder’ events as in non-cached mode you will receive two events: ‘message
created’ in the Deleted Items folder, and ‘message permanently deleted’ in the original folder. This is an
accurate report of how cached-mode Outlook implements message deletions to the Deleted Items folder.
• When permanently deleting messages (emptying the Deleted Items folder) you will see a ‘message read’
event as cached-mode Outlook obtains information from the message followed somewhat later by a
‘message permanently deleted’ event.
• If the user closes cached-mode Outlook before it has a chance to synchronize permanently deleted items
with the Exchange Server, it will do so the next time Outlook is started. Other clients viewing the mailbox
will be able to access the ‘deleted’ items until cached-mode Outlook synchronizes with the server.
You will still receive all notifications of critical non-owner events from cached-mode Outlook clients, but the timing
and sequence may not be obvious. Understanding the effect that cached-mode Outlook has on your Change
Auditor Exchange monitoring will give you confidence that the results you are seeing are accurate.

Change Auditor for Authentication


Services
Agent deployment
Change Auditor for Authentication Services requires agents deployed on all Active Directory domain controllers in
the forest to capture modifications to the Authentication Services configuration container.

Change Auditor for SharePoint


The Microsoft SharePoint requirements must be met. Change Auditor for SharePoint does not need any additional
requirements.
See the Change Auditor for SharePoint User Guide for information about installing, configuring, and using Change
Auditor for SharePoint.

Agent deployment
You need deploy an agent on one of the SharePoint servers in the SharePoint farm that you want to monitor.

Required rights and permissions


The agent selected to connect to and collect events from the SharePoint farm must have the following
permissions:
• At a minimum, the account must have full access to all SharePoint sites. It must also have read
permissions on all SharePoint SQL databases.
• Recommended: Use the SharePoint farm administrator account that was supplied when SharePoint was
installed.

Quest Change Auditor 6.9 Installation Guide


36
Installation Notes and Best Practices
For proper auditing of the sites within the MySite Site Collection or Web Application, add the account Change
Auditor uses to access the SharePoint database as a Site Collection Administrator (primary or secondary) or to the
User Web Policy for the MySite host. Depending on how your MySite host is initially set up, use the Central
Administration website to verify, and if necessary add, this account.

SharePoint settings
For Change Auditor to capture some of the SharePoint events, the following settings must be enabled:
• Native Auditing enabled for all SharePoint web applications (including each user site under
MySite)Change Auditor
NOTE: Log trimming is off by default. Enable log trimming to meet your policies. If the Change
Auditor agent is offline or is otherwise unable to retrieve event information from the SharePoint
database for a period longer than the trim period, events could be lost.

• Versioning enabled for each individual Library and List Item pertaining to the Sites, if you want Change
Auditor to capture versioning activities.
See the Change Auditor for SharePoint User Guide or Event Reference Guide for a list of the events that require
these additional settings.

Backup notes
Backup and protect the coordinator database
The coordinator uses Microsoft SQL Server as the main database for collecting and reporting audit information.
This data must be protected and backed up regularly, acceptable to your data retention policies. There are several
third-party tools available, including Microsoft’s SQL Tools, which provide backup and restore functions.

Exclude the local agent directory and files from your


backup
The agent uses a SQLCE database file (ChangeAuditorAgent.sdf) on the local drive of each agented DC/member
server. This database is primarily used to capture the state values for Active Directory® objects, File System
values, and Windows registry changes. The agent files are not required as part of the backup job since the data
contained in the database files can be recreated upon agent installation. Quest recommends that you exclude the
agent files (%ProgramFiles%\Quest\ChangeAuditor\Agent\DBScripts) from your backup solution.

Agent behavior notes


Agent connection behavior
When an agent comes online, it queries the Active Directory Catalog (GC) for a list of all coordinator SCPs within
its same installation to determine which to connect to.
When there are available coordinators within the agent’s site, the agent connects to all coordinators in the site.
When there are no coordinators running within the agent’s site, the agent connects to any online coordinator.
However, when coordinators within the site come back online, the agent switches to connect to just the
coordinators within the same site and drop nonsite coordinator connections. If this behavior is problematic for your
environment, contact Quest Technical Support to discuss possible configuration options.

Quest Change Auditor 6.9 Installation Guide


37
Installation Notes and Best Practices
The connection behavior after these initial steps depends on the type of agent:
• Legacy Change Auditor (5.x) agents: If there are multiple coordinators available in the local subnet, the
agent looks at the current load on the coordinator (also posted in the SCP) and tries to connect to the
coordinator that has the fewest agents connected. If it cannot connect to its nearest, least loaded
coordinator (if that coordinator does not respond) it goes to the next available coordinator.
NOTE: Legacy (5.x) agents can only be connected to a single coordinator.

• Change Auditor 6.x server agents: Starting with Change Auditor 6.0, server agents submit events to all
coordinators in the site and load balancing occurs automatically. All connected coordinators can then
participate in receiving events from the server agent, allowing a high volume of events to be distributed for
processing.
• Change Auditor workstation agents: The workstation agents randomly connect to a single coordinator.
This enables ‘scaling out’ options for large workstation agent deployments within a single site.
NOTE: A maximum of 10,000 agents (server and workstation) can connect to a single coordinator. If this
connection limit is problematic for your environment, contact Quest Technical Support to discuss possible
configuration options.

Incompatibility with Symantec Backup Exec CPS agent


Junction point creation may fail on a server where both a Symantec™ Backup Exec™ CPS agent and a Change
Auditor agent are running. To resolve the problem, upgrade the CPS agent to 12.5 or later.

Client notes
Disabled audit events
Some events are disabled by default to improve the initial deployment process and reduce the amount of audited
event information initially collected. These audited events can easily be enabled on the Audited Events page of the
Administration Tasks tab.
See the online help or appropriate Event Reference Guide for a list of the events that are disabled by default.

Enabling encrypted SQL Server connections


By default, connections to a SQL Server are not encrypted; however to encrypt all data transmitted between an
application computer and a computer running a SQL Server instance, you can use the Secure Sockets Layer
(SSL). For more details on configuring client network protocols, see the following Microsoft article:
http://msdn2.microsoft.com/en-us/library/ms190425.aspx

ADAM (AD LDS) auditing


Monitoring ADAM (AD LDS) instances on workgroup
servers
Run the appropriate Change Auditor Agent.msi file on the workgroup server to install an agent to monitor ADAM
(AD LDS) instances on nondomain servers. See Install an agent to audit ADAM (AD LDS) on workgroup servers
for more information.

Quest Change Auditor 6.9 Installation Guide


38
Installation Notes and Best Practices
Change Auditor for SQL Server — SQL
auditing
Auditing events on SQL Server 2008 SP1 Update 5 (or
higher)
Due to a hotfix Microsoft released for SQL Server 2008 SP1 Update 5 (or higher), agents do not capture SQL-
related events unless the following action is taken on the SQL Server:
• SQL Server 2008: Using SQL Server Configuration Manager, add the string ";-T1906" to the end of the
SQL Server Startup Parameters on the Advanced tab in the SQL Server Properties dialog.
• SQL Server 2012 and later: Using SQL Server Configuration Manager, add a startup parameter called ‘-
T1906’ on the Startup Parameters tab in the SQL Server Properties dialog.
• Restart the SQL Server service.
See http://blogs.msdn.com/b/joaol/archive/2009/09/30/sql-server-2008-does-not-start-after-sp1-with-etw-
enabled.aspx.

SQL Server auditing for Itanium platform — Not supported


Auditing of SQL Servers running on Itanium platforms is not supported.

Quest Change Auditor 6.9 Installation Guide


39
Installation Notes and Best Practices
8
Multi-Forest Deployments
Change Auditor can be configured to audit and report on one or many Active Directory forests to facilitate
searching for compliance audit data over multiple forests.
This section covers the following multi-forest deployment topics:
• Multi-forest deployment requirements
• Installation example
• Configuration

Multi-forest deployment
requirements
Network connectivity between each monitored forest
Coordinators in all forests connect directly to the SQL Server that is hosting the Change Auditor audit database.
Coordinators must resolve the host name of the SQL server or must be configured to use the IP address of the
SQL server.

At least one coordinator must be deployed in each forest


The coordinator is responsible for collecting and maintaining the topology information for each forest. This includes
domains, sites, domain controllers, and member servers.
The coordinator is also responsible for many other periodic tasks such as:
• Sending alerts by email, SMNP, or WMI
• Sending agent configuration settings, auditing and protection templates
• License enforcement
• Agent status updates
• Agent installation and upgrade
• Auto deployment
• Event statistics
• Group membership expansion

Quest Change Auditor 6.9 Installation Guide


40
Multi-Forest Deployments
Change Auditor groups are created in each forest
To connect to coordinators in other forests, users must be added to either the ‘ChangeAuditor Administrators —
<InstallationName>’ OR ‘ChangeAuditor Operators — <InstallationName>’ in the forest where the coordinator is
joined.

Credentials for the Microsoft SQL Server backend


Depending on whether the Active Directory forests have a trust in place, you need to configure Change Auditor to
use the appropriate SQL credentials.

Scenario A — One or more of the forests do not have a valid trust in place
• The SQL server must have SQL authentication enabled. By default, SQL Server Authentication is disabled
and must be manually enabled.
• The coordinator that is not part of the same forest where the SQL server is joined to, must be configured to
use a SQL user account, not a domain user account.

NOTE: This is required because SQL Server only allows Kerberos authentications when attempting
to connect using a Windows user account. Passing credentials is not allowed.

Scenario B — All forests have a valid trust in place


Each of the coordinators may be configured to use either authentication type. Both Windows or SQL user accounts
may be used in each of the forests.

Quest Change Auditor 6.9 Installation Guide


41
Multi-Forest Deployments
Installation example
The following diagram shows two separate forests where Change Auditor will be deployed. Forest A is deployed
first and the Forest B is added.

Forest A installation
1 Install the coordinator on a member server in Forest A. In this example, Coordinator1.ForestA.com is used
as the coordinator server.
▪ While installing the first coordinator, make note of the “Installation name”. The same installation
name is used to deploy the coordinator in Forest B (ForestB.net).
▪ Also take note of the SQL Server host and credential information. This server and account will also
be used in the second forest. The required information is as follows:
▫ SQL Server host name or IP address AND Instance name if applicable
▫ Database or Catalog name
▫ User name, password, and domain if applicable
2 Install the client on either a workstation or member server. In this example, CAClient1.ForestA.com is used
as the client computer.
3 Using the client, connect to the coordinator in Forest A to deploy Change Auditor agents on to the domain
controllers and/or member servers in Forest A. See Deploy Change Auditor Agents for more details about
deploying agents.
4 At this point, Change Auditor should be fully deployed to the first forest in the organization (ForestA.com in
this example).

Quest Change Auditor 6.9 Installation Guide


42
Multi-Forest Deployments
Forest B installation
5 Install the coordinator on a member server in Forest B. In this example, Coordinator2.ForestB.net is used
as the coordinator server.
▪ While installing the second coordinator, you must use the ‘Installation name’ that was selected in the
first forest.
▪ During the installation of the second coordinator, use the same SQL server and database name
used in the first coordinator’s installation. The Windows or SQL user account may be different than
the account used in the first installation.
▪ Quest recommends that the same database access account used in the first forest is also used in
the second forest. If a different user account for database access is used in the second
coordinator's installation, the following permissions must be granted before the installation is
started:
▫ db_owner database role on the Change Auditor database
▫ dbcreator server role
6 Install the client on either a workstation or member server. In this example, CAClient2.ForestB.net is used
as the client computer.
7 Using any client, connect to the coordinator in Forest B to deploy agents on to the domain controllers
and/or member servers in Forest B.
8 Change Auditor is now fully configured to collect audit data from both forests into a single database.
Reports and alerts can be run from any client to return data related to one or all the deployed forests.
9 You can deploy more forests by following steps 5 through 9.

Configuration
This section discusses how Change Auditor configurations are handled in multi-forest environments, including:
• Audit and protection configuration flow
• Event flow
• Reports and queries from the client

Audit and protection configuration flow


Audit and protection configurations are maintained using the client that is installed on either workstations or
member servers. Configuration changes are stored in the SQL database by the coordinator service.
The following configurations can be shared across forests regardless of the forest trust level:
• Active Directory Auditing — Object Class\Attributes
• ADAM\AD (LDS) Auditing — Object Class\Attributes
• Excluded Accounts templates
• File System Auditing templates
• Registry Auditing templates
• Service Auditing templates
• VMware Auditing templates
• SQL Auditing templates
• Audit Event configurations (for example, enabled or disabled, severity level)

Quest Change Auditor 6.9 Installation Guide


43
Multi-Forest Deployments
The following configurations can be shared when a two-way trust exists:
• Active Directory Protection templates
• ADAM\AD (LDS) Protection templates
• Exchange Protection templates
• File System Protection templates
• Group Policy Protection templates
NOTE: A trust is required to view the Active Directory accounts in the other forest for protection account
exclusions.

Quest Change Auditor 6.9 Installation Guide


44
Multi-Forest Deployments
Event flow
Recorded audit events are first queued in a local database on each agent computer. Events are then batched and
forwarded to a coordinator. The coordinator checks for new events every 10 seconds and does a bulk insert of the
event details to the SQL database.

Quest Change Auditor 6.9 Installation Guide


45
Multi-Forest Deployments
Reports and queries from the client
Change Auditor clients do not connect directly to the SQL database. Instead, the coordinator to which the client is
connected processes search results and change requests. Clients can connect to any coordinator if the logged on
user is a member of either the ChangeAuditor Administrators — <InstallationName> or the ChangeAuditor
Operators — <InstallationName> group in the respective forest.
By default, user-configured alerts (SMTP, SNMP, and WMI) are generated and sent from the first installed
coordinator in the Change Auditor installation.

Quest Change Auditor 6.9 Installation Guide


46
Multi-Forest Deployments
9
Workstation Agent Deployment
Workstation agents are required to capture login activity events when a Change Auditor for Logon Activity
Workstation license is applied. This section provides recommendations for deploying agents necessary for
auditing both domain workstations and non-domain workstations. It also includes instructions on manually
deploying workstation agents.
• Recommendations and deployment requirements
• Manual workstation agent deployment

Recommendations and deployment


requirements
All workstation agents
• .NET framework 4.5.2 is the minimum requirement (available in Autorun.exe redistributables). See the
Release Notes for a full list of the system requirements for workstation agents.
• Quest recommends a phased approach to deploying workstation agents. Deploying a maximum of 100
workstation agents at a time allows you to monitor the coordinator performance before deploying another
batch of agents.

Deploying workstation agents (domain workstations)


• The recommended installation is from the Deployment tab of the client. See Deploy Change Auditor
Agents.
• Alternately, you can manually deploy workstation agents. See Manual workstation agent deployment.

Deploying foreign workstation agents (non-domain


workstations)
• A workgroup agent requires NetBIOS over TCP enabled and access to port 137 (UDP) inbound to the
domain controllers.
• A routable network path must exist between non-domain workstations, domain controllers, and the
coordinator servers. Name resolution of domain controllers and the coordinator servers is also required
from the non-domain workstations, whether DNS server configuration, NetBIOS/WINS configuration or
local hosts file entries are used.
• Agents must be deployed manually. See Manual workstation agent deployment.
• During installation, the workstation agent prompts for Active Directory domain and credential information to
locate a coordinator and installation name.

Quest Change Auditor 6.9 Installation Guide


47
Workstation Agent Deployment
• When the first foreign workstation agent is manually installed, a ChangeAuditor Agents -
<InstallationName> security group is created. User accounts must be added to this security group to
properly authenticate.
▪ The workstation agent installer allows you to add the domain user account to the ChangeAuditor
Agents – <InstallationName> security group, if appropriate LDAP and network protocol access is
available.
NOTE: Sometimes, you might need to prestage\create the ChangeAuditor Agents –
<InstallationName> security group and manually add the configured workstation agent user account
to the security group.

• You can also use the Coordinator Credential Configurator to change between coordinator domains at any
time after the agent is installed.
NOTE: The Coordinator Credential Configurator application can be launched using the
CoordinatorCredentialConfigurator.exe file in the agent installation folder on the workstation. The
default agent installation location is: %ProgramFiles%\Quest\ChangeAuditor\Agent

Manual workstation agent deployment


When installed manually, the workstation agent installer must be run as an account with the local administrator
account privileges and with elevated User Account Control (UAC) permissions.
NOTE: Depending on the UAC policies (see User Account Control (UAC) Settings), elevated UAC
permissions may require starting the installer using one of the following methods:
• Shift + Right-click installer to select ‘Run as a different user’
• From the Windows Task Manager, select File | Run New Task, browse and select the Change Auditor
Workstation Agent installer file, and select the ‘Create this task with administrative privileges’ option,
then click OK.

To manually install a workstation agent:


1 Copy the appropriate agent installer package from the Change Auditor service installation directory to the
workstation to monitor. The default directory is %ProgramFiles%\Quest\ChangeAuditor\Service\Change
Auditor Workstation Agent (x64).msi.
2 Run the installer file on the workstation to open the Workstation Agent Setup wizard which steps you
through the installation.
3 Review the following table for additional information about the information requested in this wizard. This
table only covers unfamiliar information. It does not include all the wizard pages or field descriptions.
Table 5. Change Auditor Workstation Agent wizard

Active Directory Information screen


On the Active Directory Information screen, enter the Active Directory information which allows the agent
to establish a coordinator connection.
Name of Active Directory Root Domain Enter the DNS name (domain.com) of the root domain of
(domain.com) Active Directory.
Account Name (domain\user) Enter the name of the user (domain\user) that can find and
connect to a coordinator in the Active Directory forest.
Account Password Enter the password associated with the previously entered
user account.
Add this user to the “ChangeAuditor Agents This is selected by default indicating that the specified user
- <InstallationName>” security group account will be added to the ChangeAuditor Agents security
group.
NOTE: User accounts must be added to this security group
to properly authenticate.

Quest Change Auditor 6.9 Installation Guide


48
Workstation Agent Deployment
Table 5. Change Auditor Workstation Agent wizard

Installation Name screen


The Installation Name screen prompts you to enter the installation name to identify the database where
the coordinator is to be connected. A workstation agent must join an existing Change Auditor installation.
ChangeAuditor Installation Name Click Next to use the DEFAULT installation name.
To use a different installation, enter an existing Change
Auditor installation or click the Browse button to select from
a list of existing installations.

4 Repeat to install an agent on all the required workstations.


5 To enable the workstation agent detection of authentication activity events, the ‘Audit Logon events’ audit
policy must be enabled on all monitored workstations.
Use either Local Security Policy or Group Policy Object (GPO) settings where appropriate.

User Account Control (UAC) Settings


• UAC policies typically use different settings for the ‘Administrator’ account and other accounts with
Administrative privileges, so it may be easier to run the Change Auditor Workstation Agent installer with
elevated UAC permissions if the Administrator account is used.
• General UAC elevation and prompt level configurations can be accessed through the Control Panel User
Access Control configuration.

• More specific UAC policies can be configured in the Local Security Policy or a Group Policy Object (where
appropriate) to determine whether all Administrators or the built-in Administrator account are run in Admin
Approval Mode, the elevation prompt level, whether the secure desktop is used for prompting, whether
elevation is possible without prompting, and so forth.

Quest Change Auditor 6.9 Installation Guide


49
Workstation Agent Deployment
Quest Change Auditor 6.9 Installation Guide
50
Workstation Agent Deployment
10
Agent Comparison
There are a few client features that are not available for workstation agents. The following table displays the agent-
related features that are available for server and workstation agents.

Table 6. Agent comparison

Available for server Available for


Page and Feature
agents? workstation agents?
Deployment Page
The Deployment page does not display non-member objects, such as ADAM workgroup servers or non-Active
Directory workstations, because agents cannot be deployed to non-member objects using the Deployment tab.
Included in topology harvest Yes Yes
Install or Upgrade (deploy agent) Yes Yes
Advanced Options | Specify Agent Installation Location Yes Yes
Advanced Options | Specify a Custom Share on the Yes Yes
Remote Server
Advanced Options | Launch ServiceStatusTray on Yes No
startup
Advanced Options | Restart Agent on failure Yes Yes
New Servers | Enable Auto Deployment on New Servers Yes No
Overview Page
Agent Status Pane
▪ Enterprise View (member objects) Yes No
▪ Workstation View (member objects) No Yes
▪ Other View (non-member objects) Yes Yes
▪ <Domain> (member and non-member objects) Yes Yes
Count of Events Pane
▪ Location (member and non-member objects) Yes Yes
Top Agent Activity Pane
▪ All (member and non-member objects) Yes Yes
▪ DCs (member objects) Yes No
▪ Servers (member objects) Yes No
▪ Workstations (member objects) No Yes
▪ Others (non-member objects) Yes Yes
Search Properties Tabs
Where Tab Yes Yes
Origin Tab Yes Yes
Agent Statistics Page
Included in Agent Statistics page Yes Yes
Start | Stop | Restart agent (member objects) Yes Yes
Start | Stop | Restart agent (non-member objects) No No

Quest Change Auditor 6.9 Installation Guide


51
Agent Comparison
Table 6. Agent comparison

Available for server Available for


Page and Feature
agents? workstation agents?
Set Agent Uninstalled Yes Yes
Hide | Show Uninstalled agents Yes Yes
View agent logs Yes Yes
(See Note below)
View resource properties Yes Yes
Administration Tasks Page — Agent Configuration
Included in Agent Configuration page Yes No
Assign agent configurations Yes No
(Uses Default
Configuration)
Configuration Setup dialog | System Settings Yes Yes
(From Default
Configuration)
Configuration Setup dialog | File System settings  Yes No
(Change Auditor for Windows File Servers, Change
Auditor for EMC or Change Auditor for NetApp)
Configuration Setup dialog | AD Query settings Yes No
(Change Auditor for Active Directory Queries)
Configuration Setup dialog | Exchange settings Yes No
(Change Auditor for Exchange)
Configuration Setup dialog | VMware settings Yes No
Agent system tray icon Yes No

NOTE: For workstation log management (such as Get Logs and View Agent Logs), the following must be
enabled on the workstation:
• Windows Management Instrumentation (WMI) in the firewall rule set (usually domain) on the
workstation
• Network Discovery and File Sharing
• Remote Registry Service set to ‘Start Automatically’. By default, this service is stopped and set to
‘Manual’ for Windows 7, 8/8.1, and 10.

Quest Change Auditor 6.9 Installation Guide


52
Agent Comparison
11
Install an agent to audit ADAM (AD
LDS) on workgroup servers
Change Auditor audits Active Directory Application Mode (ADAM) or Active Directory Lightweight Directory
Services (AD LDS) events. This section provides information regarding the agent installation necessary for
auditing ADAM (AD LDS) instances on workgroup servers.

Agent installation
NOTE: An agent must be installed on the server where the ADAM (AD LDS) instance to audit resides.

To install agents to audit ADAM (AD LDS) on workgroup servers:


NOTE: A workgroup agent requires NetBIOS over TCP enabled and access to port 137 (UDP) inbound to
the domain controllers.

1 Copy the appropriate agent installer package from the Change Auditor service installation directory to the
workgroup server to monitor. The default directory is %ProgramFiles%\Quest\ChangeAuditor\Service\
Change Auditor Agent (x64).msi.
2 Run the installer file on the workgroup server to open the Change Auditor Agent wizard which steps you
through the installation.
3 Review the following table for additional requested information in this wizard. This table only covers
unfamiliar information. It does not include all the wizard screens or field descriptions.
Table 7. Change Auditor Agent wizard

Active Directory Information screen


On the Active Directory Information screen, enter the Active Directory information required for the agent
to establish a coordinator connection.
Name of Active Directory Root Domain Enter the DNS name (domain.com) of the root domain of
(domain.com) Active Directory.
Account Name (domain\user) Enter the name of the user (domain\user) that can find and
connect to a Change Auditor coordinator in the Active
Directory forest.
Account Password Enter the password associated with the previously entered
user account.
Installation Name screen
The Installation Name screen prompts you to enter the installation name to identify the database to which
the coordinator is to be connected. A workgroup agent must join an existing Change Auditor installation.
ChangeAuditor Installation Name Enter an existing Change Auditor installation or click
Browse to select from a list of existing installations.

Quest Change Auditor 6.9 Installation Guide


53
Install an agent to audit ADAM (AD LDS) on workgroup servers
12
Active Roles Integration
Active Roles uses a proxy account (service account) to connect and change Active Directory objects and group
policies. Change Auditor can deploy to an Active Roles server which signals it to retrieve and send the name of the
user that was logged in to the Active Roles console to Change Auditor. This additional information is then
displayed in the Change Auditor client for events initiated using Active Roles.
NOTE: Change Auditor audits changes made through Active Roles workflow that are initiated by the Active
Roles service account.

This section covers the following topics for Active Roles integrations:
• Requirements
• Deploying Change Auditor/Active Roles integration scripts
• Client components added to Change Auditor
• Removing deployed Change Auditor/Active Roles integration scripts
• Troubleshooting Tips

Requirements
Active Roles
• Active Roles 6.9 through 7.2.
NOTE: To capture the additional events and initiator account information available with the latest
integration scripts, you must be running Active Roles 6.9 (or higher) with Change Auditor for Active
Directory 6.0 (or higher).

NOTE: To work with Active Roles 7.0, you must have installed: hotfix 7.0.2 SOL188024 for Active
Roles and at a minimum Change Auditor 6.7.1539, Change Auditor 6.8.1474, or Change Auditor 6.9.
NOTE: If both Active Roles versions 6.x and 7.0.2 SOL188024 are installed on the same server as a
side-by-side deployment, Change Auditor installs integration scripts to both.

• Microsoft .NET Framework 4.5 (or higher) must be installed and enabled on the target Active Roles server
• PowerShell 2.0 must be installed on the target Active Roles server
• PowerShell Execution policy must be set to ‘AllSigned’, ‘RemoteSigned’ or ‘Unrestricted’ on the target
Active Roles server. (For more information, see https://technet.microsoft.com/en-
us/library/ee176961.aspx.)
• Active Roles administrator right is required to deploy the integration scripts.

Quest Change Auditor 6.9 Installation Guide


54
Active Roles Integration
• The Active Roles service account (or the override account) must be authorized to access the Change
Auditor SDK. That is, add the Active Roles server service account to the ChangeAuditor Administrators
security group.
NOTE: If you use a role with the minimum permissions, use the Application User Interface page on
the Administration Tasks tab to define a role that contains the ‘Add Sdk’ and ‘View Sdk’ operations.
For more information about using the Application User Interface page to define a new role, see the
Change Auditor User Guide.

Change Auditor for Active Directory


• Change Auditor for Active Directory 5.6 (or higher)
NOTE: To capture the additional events and initiator account information available with the latest
integration scripts, you must be running Active Roles 6.9 (or higher) with Change Auditor for Active
Directory 6.0 (or higher). To deploy Active Roles 7.0, you must have installed at a minimum, Change
Auditor 6.7.1539, Change Auditor 6.8.1474, or Change Auditor 6.9.

• The integration scripts must be deployed to a server running Active Roles.


NOTE: If Active Roles replication is configured correctly, you only need to deploy the integration
script to one Active Roles server.

• The Change Auditor agents must be installed on all domain controllers in the environment to ensure that
the Active Directory changes are picked up.

Deploying Change Auditor/Active Roles


integration scripts
For Active Roles to retrieve the name of the user that was logged in to the Active Roles console and forward this
information to Change Auditor, you must first deploy the integration scripts to an Active Roles server.
NOTE: If the Active Roles scripting module has been deployed in a previous Change Auditor version, see
the following knowledge base article which details the process to move to the updated version of these
scripting modules that are available in Change Auditor 6.x:
https://support.quest.com/change-auditor/kb?k=119136

To deploy Change Auditor/Active Roles integration scripts:


1 Open the Deployment page.
2 Select a server where Active Roles is installed.
3 Expand Advanced Options and select one of the following options:
▪ ActiveRoles Integration | Deploy Scripts Only
▪ ActiveRoles Integration | Deploy Scripts and Excluded Account
4 If you select the Deploy Scripts Only option, Change Auditor copies and runs the Active Roles integration
PowerShell script on the Active Roles server which triggers Active Roles to retrieve the initiator information
for all users and pass this information onto Change Auditor.
5 If you select the Deploy Scripts and Excluded Accounts option, the Select Active Directory Objects
dialog is displayed. Use either the Browse or Search page to locate and select a user or computer to
exclude. Change Auditor then deploys the integration script that signals Active Roles to retrieve the initiator
information for all accounts except for those specified for exclusion.

Quest Change Auditor 6.9 Installation Guide


55
Active Roles Integration
6 Once successfully deployed, Success is displayed in the Deployment Results cell for the server.
NOTE: If errors are encountered during the deployment process, corresponding error messages are
displayed in the Deployment Results cell. Fix the errors reported and then redeploy the scripts.

Client components added to Change


Auditor
After you have deployed the integration script, the initiator information retrieved from Active Roles can be viewed
on the Search Results page in Change Auditor. Use the following to display additional information:
• A field on the Event Details pane that displays the additional information retrieved from Active Roles.
• A built-in report that retrieves all Active Directory changes, including changes initiated by Active Roles.
Running this report also displays the Initiator UserName and EventSource columns in the search results.
• Columns on the Layout tab that allow you to add the event source and initiator information to other search
definitions.
• Option on the Who tab that allows you to create a custom search to search for events initiated by a specific
user, including events initiated by Active Roles.
• Email tags to include the additional information in alert email notifications.

Event Details pane


A Source field in the Event Details pane displays the name of the application from which the change event was
generated (Change Auditor, Active Roles, or GPOADmin). For change events generated by Active Roles or
GPOADmin, the name of the user account that initiated the change is displayed in parentheses.
NOTE: If the Source field displays ‘ActiveRoles’ (instead of ‘ActiveRoles Server’) you are not using the latest
integration scripts. To take advantage of the additional events and initiator account information captured
using the integration scripts, ensure that you are running Active Roles 6.9 (or higher) with Change Auditor for
Active Directory 6.0 (or higher).

All Active Directory events including Active


Roles/GPOADmin initiator built-in report
A built-in report is available which retrieves events for all Active Directory changes, including events initiated by
Active Roles or GPOADmin. The search definition for this report also includes the initiator information (Initiator
UserName and EventSource columns) in the search results.

To run the built-in Active Roles search:


1 Open the Searches page.
2 To display the available built-in searches, expand and select the Shared | Built-in | All Events folder.
3 Locate the All Active Directory Events Including ActiveRoles/GPOAdmin Initiator search and select
the search definition and click Run.
A new Search Results page is displayed populated with the audited events that met the search criteria,
including the Initiator UserName and EventSource information.

Quest Change Auditor 6.9 Installation Guide


56
Active Roles Integration
Layout tab
The Change Auditor database includes columns to record Active Roles and GPOADmin information. The columns
are not displayed by default on a Search Results page for most searches. However, using the Layout tab you can
add the following information for all searches:
• EventSource — for all events, the name of the application from which the event was generated (Change
Auditor, Active Roles, or GPOADmin).
• Initiator Mail — for all generated by Active Roles or GPOADmin, the email address of the user that
initiated the change.
• Initiator SID — for events generated by Active Roles or GPOADmin, the SID of the user that initiated the
change.
• Initiator UserName — for events generated by Active Roles or GPOADmin, the name of the user that
initiated the change.

To add a column to the search results:


1 Open the Layout tab.
2 Locate the columns (EventSource, Initiator Mail, Initiator SID, or Initiator UserName) in the Unselected
Columns table.
3 Select the columns to add and use the right arrow button to move them to the Selected Columns table.
The column is added to the bottom of the list or beneath the highlighted column in the Selected Columns
table.
You can also ‘drag’ a column to the Selected Columns table.
4 The Selected Columns table also displays the order the columns are presented. To rearrange columns, use
the up and down arrow buttons located to the right of the Selected Columns table.
You can also ‘drag’ columns within this table to define the order.

Who tab
When using the Who tab to retrieve change events initiated by a specific user, changes initiated by Active Roles
are not automatically included in the search. A check box is available on the Who tab which instructs Change
Auditor to retrieve all change events initiated by the specified user, including those made through Active Roles and
GPOADmin.

To include Active Roles initiated events:


1 Open the Searches page
2 In the explorer view (left pane), expand and select the folder where you want to save your search (for
example, Shared or Private).
3 Click New to enable the Search Properties tabs.
4 On the Who tab, click Add to add an active user, computer, or group to the ‘who’ list.
5 On the Select one or more Directory Objects dialog, use either the Browse or Search page to locate the
user, computer, or group to include.
Once you have located the directory object, select it and click Add to add it to your selection list.
Repeat this step to include each additional directory object.
6 After selecting one or more directory objects, click Select to save your selection and close the dialog.

7 Back on the Who tab, select the Include Event Source Initiator check box.
NOTE: Including the event source initiator, may have a noticeable effect on the search performance,
depending on the size of the database and the number of results returned in the search.

Quest Change Auditor 6.9 Installation Guide


57
Active Roles Integration
When this search runs, Change Auditor retrieves all events made by the specified user account, including
events initiated by Active Roles.
In addition, when the Include Event Source Initiator option is selected the Initiator UserName column is
added to the Search Results grid for this search. For events initiated by Active Roles, this column contains
the user account that was logged in to the Active Roles console.

Email tags
Change Auditor/Active Roles integration email tags are available which can be added to the event details of alert
email notifications. These new email tags are:
• %EVENTSOURCE% - indicates the application where the change event came from: Change Auditor,
Active Roles, or GPOADmin.
• %INITIATORMAIL% - for events generated by Active Roles or GPOADmin, the email address of the user
that initiated the event.
• %INITIATORSID% - for events generated by Active Roles or GPOADmin, the SID of the user that initiated
the event.
• %INITIATORUSERNAME% - for events generated by Active Roles or GPOADmin, the name of the user
that initiated the event.
See the Change Auditor User Guide for more information about how to configure and enable email notifications
and customize email content.

Removing deployed Change


Auditor/Active Roles integration scripts
You can use the Active Roles console to manually remove previously deployed integration scripts.

To remove integration scripts:


1 Open Configuration | Policies | Administration.
2 Right-click Change Auditor Integration Policy, select Policy Scope.
3 Remove Active Directory in the object list.
4 Delete Change Auditor Integration Policy.
5 Right-click Change Auditor Integration Deprovision Policy, select Policy Scope.
6 Remove Active Directory in the object list.

7 Delete Change Auditor Integration Deprovision Policy.

If you are using...


Active Roles 6.9 • Navigate to Configuration | Script Modules and delete
Active Roles 7.0 Quest Change Auditor Integration Script.
Active Roles 7.1

Quest Change Auditor 6.9 Installation Guide


58
Active Roles Integration
Troubleshooting Tips
Not receiving events from Active Roles
To diagnose problems with receiving events from Active Roles, check the ‘EDM Server’ event log on the Active
Roles server.

Initiator information missing in events


Some events do not provide the initiator account information. This could be caused by the following:
• Manually created objects
Computer objects that are manually created do not capture the initiator account information of the user that
initiated the change.
• Protected and unprotected objects
If an object is protected and unprotected through the Active Roles console, the initiator account will be
missing from Change Auditor.
The Protect/Unprotect operation in Active Roles is not a direct Active Directory attribute operation. When
you protect/unprotect an object, you actually add an Access Template link to the security descriptor in
Active Directory. Because of this, the initiator account information is not captured for events related to
protect/unprotect events.
• In some scenarios, the following events do not capture the initiator account information when made through
the Active Roles console:
▪ User password changed
▪ User password changed by non-owner
▪ User must change password at next logon option changed

Quest Change Auditor 6.9 Installation Guide


59
Active Roles Integration
13
Quest GPOADmin Integration
GPOADmin uses a proxy account (service account) to connect and change Active Directory objects and group
policies. In past releases, Change Auditor only captured the service account name in the event details for changes
initiated through GPOADmin. GPOADmin now integrates with Change Auditor and allows the name of the user
who initiated the GPOADmin operation and comments to display in the Change Auditor client.
NOTE: GPOADmin only sends initiator and comment information to Change Auditor for the following
operations:
• GPO deployment
• Working copy check-in
• Working copy check-out

This appendix covers the following topics for GPOADmin integrations:


• Requirements
• GPOADmin and Change Auditor integration process
• Client components added to Change Auditor
• Troubleshooting tips

Requirements
GPOADmin
• GPOADmin 5.9 to 5.11.1.
• The GPOADmin service account must be authorized to access the Change Auditor SDK. That is, add the
GPOADmin service account to the ChangeAuditor Administrators security group.
NOTE: If you must use a role with the minimum permissions, use the Application User Interface page
on the Administration Tasks tab to define a new role that contains the ‘Add Sdk’ and ‘View Sdk’
operations. Also, the GPOADmin service account must be added to the ChangeAuditor
Administrators group for integration to function properly.
NOTE: For more information on using the Application User Interface page to define a new role, see
the Change Auditor User Guide.

• Change Auditor auditing must be enabled GPOADmin server properties for events to generate.

Change Auditor for Active Directory


• Change Auditor for Active Directory 5.7 (or higher)

Quest Change Auditor 6.9 Installation Guide


60
Quest GPOADmin Integration
GPOADmin and Change Auditor
integration process
Some GPOADmin events recorded by Change Auditor have the initiator name in the event. The initiator is the
name of the account logged in to the GPOADmin client performing actions in GPOADmin. However, the initiator
name is not always populated due to how the GPO is processed in Active Directory.
The following is a high-level overview of typical Change Auditor events recorded when modifying a GPO using
GPOADmin:
1 A user logged in to GPOADmin to modify a GPO setting.
Change Auditor records the following events:
An event for the creation of a new GPO (the working copy GPO). The “who” in the event shows the
GPOADmin service account and the initiator and the name of the user who was logged in to GPOADmin.
A rename event for the new GPO.
A permission change for the new GPO, granting the user logged in to GPOADmin rights to the working
copy GPO.
Modification events performed on the working copy GPO. The who of these events show the user logged in
to GPOADmin and the initiator blank as the initiator and the who are the same.
2 Once the GPO is checked in, there are number of events recorded with the “who” being the GPOADmin
service account and the initiator blank. This is because importing the settings from the working copy to the
live copy is performed in Sysvol, outside of GPOADmin. It is the same processes that are performed if the
GPO was edited in GPMC. GPOADmin has no knowledge of what is being performed with these Active
Directory operations and cannot communicate to Change Auditor who the initiator is as they happened
outside of all the GPOADmin processes.
3 Approval is requested in GPOADmin. The approver approves and deploys the GPO.
This generates Change Auditor events where the “who” is the GPOADmin service account and the initiator
is the name of the approver.
Events where the initiator is the name of the approver and the action logged was that the version of the
GPO attribute was changed, are the events that show when the GPO was deployed and who performed
the deployment.
4 GPOADmin provides the initiator name to Change Auditor using Change Auditor APIs.
You will see a considerable amount Change Auditor GPO events generated when performing actions in
GPOADmin. This is due to how GPOADmin processes GPOs and how they are deployed to the live
environment.

Client components added to Change


Auditor
You can view initiator information retrieved from GPOADmin on the Search Results page in the Change Auditor
client. You can use the following to display this additional information:
• A field on the Event Details pane that displays the additional information retrieved from GPOADmin.
• A built-in report that retrieves all Active Directory changes, including those initiated by GPOADmin.
Running this report also displays the Initiator UserName and EventSource columns in the search results.
• Columns on the Layout tab that allow you to add the event source and initiator information to other search
definitions.

Quest Change Auditor 6.9 Installation Guide


61
Quest GPOADmin Integration
• Option on the Who tab that allows you to create a custom search to search for events initiated by a specific
user, including those initiated by GPOADmin.
• Email tags to include the additional information in alert email notifications.

Event Details pane


A Source field is available in the Event Details pane that displays the name of the application from which the
change event was generated (such as, Change Auditor, Active Roles, or GPOADmin). In addition, for change
events generated by GPOADmin or Active Roles, the name of the user account that initiated the change is
displayed in parenthesis.

All Active Directory events including Active


Roles/GPOADmin initiator built-in report
A built-in report is available that retrieves events for all Active Directory changes, including those initiated by
GPOADmin and Active Roles. The search definition for this report also includes the initiator information (Initiator
UserName and EventSource columns) in the search results.

To execute the built-in GPOADmin search:


1 Open the Searches page.
2 Expand and select the Shared | Built-in | All Events folder to display the built-in searches available.
3 Locate the All Active Directory Events Including ActiveRoles/GPOADmin Initiator search and use one
of the following methods to run the selected search:
▪ Double-click a search definition
▪ Right-click a search definition and select Run
▪ Select the search definition and click Run
A new Search Results page appears populated with the audited events that met the search criteria,
including the Initiator UserName and EventSource information.

Layout tab
Columns are added to the database to record the information retrieved from GPOADmin or Active Roles. These
columns are not displayed by default on a Search Results page for most searches. However, using the Layout tab
you can add the following information to all searches:
• EventSource - for all events, the name of the application from which the event was generated (i.e.,
Change Auditor, Active Roles, or GPOADmin).
• Initiator Mail - for events generated by GPOADmin or Active Roles, the email address of the user that
initiated the change.
• Initiator SID - for events generated by GPOADmin or Active Roles, the SID of the user that initiated the
change.
• Initiator UserName - for events generated by GPOADmin or Active Roles, the name of the user that
initiated the change.

To add new columns to the search results:


1 Open the Layout tab.
2 Locate the new columns (EventSource, Initiator Mail, Initiator SID, and/or Initiator UserName) in the
Unselected Columns table.
3 Select the columns to add and use the right arrow button to move them to the Selected Columns table.

Quest Change Auditor 6.9 Installation Guide


62
Quest GPOADmin Integration
The column will be added to the bottom of the list or beneath the highlighted column in the Selected
Columns table.
You can also drag a column to the Selected Columns table.
4 The Selected Columns table also displays the order the columns will be presented. To rearrange the
columns, use the up and down arrow buttons located to the right of the Selected Columns table.
You can also drag columns within this table to define the order.

Who tab
When using the Who tab to retrieve change events initiated by a specific user, changes initiated by GPOADmin will
not automatically be included in the search. A check is available in the Who tab which instructs Change Auditor to
retrieve all change events initiated by the specified user, including those made through GPOADmin.

To include GPOADmin initiated events:


1 Open the Searches page.
2 In the explorer view (left pane), expand and select the folder where you want to save your search (e.g.,
Shared or Private).
3 Click New to enable the Search Properties tabs.
4 On the Who tab, click Add to add an active user, computer or group to the ‘who’ list.
5 On the Select one or more Directory Objects dialog, use either the Browse or Search page to search your
environment to locate the user, computer or group to be included.
Once you have located the directory object to be included, select it and click Add.
Repeat this step to include each additional directory object.
6 After selecting one or more directory objects, click Select to save your selection and close the dialog.

7 Back on the Who tab, select the Include Event Source Initiator check box.
NOTE: Including the event source initiator, may have a noticeable effect on the search performance,
depending on the size of the database and the number of results returned in the search.

When this search is run, Change Auditor retrieves all events made by the specified user account, including
those initiated by GPOADmin.
In addition, when this check box is selected the Initiator UserName column is added to the Search Results
grid for this search. For events initiated by GPOADmin, this column contains the user account that was
logged into the GPOADmin console.

Email tags
The following email tags are available which can be added to the event details of alert email notifications:
• %EVENTSOURCE% - indicates the application where the change event came from: Change Auditor,
Active Roles, or GPOADmin.
• %INITIATORMAIL% - for events generated by GPOADmin or Active Roles, the email address of the user
that initiated the event.
• %INITIATORSID% - for events generated by GPOADmin or Active Roles, the SID of the user that initiated
the event.
• %INITIATORUSERNAME% - for events generated by GPOADmin or Active Roles, the name of the user
that initiated the event.
See the Change Auditor User Guide for more information on how to configure and enable email notifications and
customize email content.

Quest Change Auditor 6.9 Installation Guide


63
Quest GPOADmin Integration
Troubleshooting tips
If GPO events initiated by GPOADmin do not appear in the Change Auditor client as expected, check the
following:
• GPOADmin/Change Auditor integration is through the SDK. Once configured, Change Auditor agents
receive the configured settings in the next configuration polling interval (default every 15 minutes). Before
the configuration is received by a Change Auditor agent, GPOADmin initiator and comment information will
not be available for GPO events.
To make sure Change Auditor has the latest GPOADmin configuration, manually refresh the agent
configuration (Refresh Configuration on Agent Configuration Page on the Administration Tasks tab).
NOTE: This delay is only applicable when you first install GPOADmin/Change Auditor or when the
service account in GPOADmin has changed.

• Verify that the GPO is not being protected by Change Auditor’s Group Policy Object Protection feature.
When configured, Change Auditor prevents all changes to GPOs, regardless of the tool that is used to
make the change (including GPOADmin).
• GPOADmin only sends initiator and comment information to Change Auditor for GPO deployment, working
copy check in, and working copy check out operations.
• It may be necessary to restart the GPOADmin service before correct initiator information can be retrieve by
Change Auditor. Before restarting the GPOADmin service, check the Change Auditor coordinator’s status
to ensure that the coordinator has been initialized and is running.

Quest Change Auditor 6.9 Installation Guide


64
Quest GPOADmin Integration
14
Windows Installer Command Line
Options
This section lists the Windows Installer command line options (MSIEXEC.exe) that are available for deploying an
agent or installing a coordinator.
• Agent options
• Coordinator options
For more information on using the Windows Installer (MSIEXEC.exe) see: http://msdn.microsoft.com/en-
us/library/aa367988(VS.85).aspx

Agent options
Table 8. Change Auditor agent command line options

Option Use this to...


INSTALLATION_NAME="<name>", Specify the Change Auditor installation name.
INSTALLATION_NAME_VALID="1"
APPDIR="<install directory>" Specify the installation path.
INSTALLER_ITAD_GPTBACKUP="<path>" Specify a GPO backup path.
ADAM_LOGON= "<username>" Specify the user credentials used to access an ADAM
ADAM_DOMAIN="<domain name>" instance.
ADAM_PASSWORD="<password>"
SYSTRAY_AUTOSTART="1" Specify whether to open the agent system tray icon on
SYSTRAY_AUTOSTART="0" startup.
• Set to "1" to launch agent system tray icon
• Set to "0" to not launch the agent system tray
icon
RESTARTONFAILURE="3" Specify whether to automatically restart the agent on
RESTARTONFAILURE="0" failure.
• Set to "3" to automatically restart the agent
• Set to "0" to not automatically restart the agent

Quest Change Auditor 6.9 Installation Guide


65
Windows Installer Command Line Options
Table 8. Change Auditor agent command line options

Option Use this to...


EVENTLOG_BLOCK_OVERRIDE="1" Specify whether to override event log block detection.
• Set to "1" to enable this override
When this setting is set to "0" (default), the event log
detection is active which detects whether or not the
system EventLog service is holding one of Change
Auditor’s event log message DLLs open. If one of
these DLLs are open, the Windows Installer Restart
Manager can cause unpredictable restarts of
dependent services.
NOTE: This applies to server agents running Windows
Server 2008 (or later).
FOREIGN_LOGON_ACCOUNT="<domain\user>" For foreign agents (non-domain members), specify the
FOREIGN_PASSWORD="<password>" foreign credentials to be used to find and connect to a
coordinator in the Active Directory forest.
FOREIGN_FOREST_ROOT_DOMAIN="<FQDN>" For foreign agents (non-domain members), use this
option to specify the fully-qualified domain name
(domain.com) of the root domain of Active Directory.
FOREIGN_CREATE_AGENT_GROUP="1" For foreign agents (non-domain members), specify
whether the logged in user is to be added to the
ChangeAuditor Agents security group.
• Set to "1" to add the user to this security group.

Coordinator options
Table 9. Change Auditor coordinator command line options

Option Use this to...


AGENT_LEGACY_PORT="<static port number>" Assign the static port number to be used by legacy
(5.x) agents to communicate with the coordinator.
AGENT_PORT="<static port number>" Assign the static port number to be used by the 6.x
agents to communicate with the coordinator.
AGREETOLICENSE="YES" Agree to the Software License Agreement.
CLIENT_PORT="<static port number>" Assign the static port number to be used by the client
when communicating with the coordinator.
INSTALLATION_NAME="<installation name>" Set the Change Auditor installation name.
SDK_PORT="<static port number>" Assign the static port number to be used by external
applications to access the coordinator.
SQLSERVER_DATABASE="<database name>" Provide the name of the Change Auditor database.
SQLSERVER_AUTH="1" Specify whether to use SQL or Windows®
authentication.
• Set to "1" to use SQL authentication.
SQLSERVER_SQLSERVER="<IP address\server Specify the SQL instance used to store the Change
name>" Auditor database.
SQLSERVER_LOGINID="<user name>" Specify the user name used to connect to the SQL
instance.
SQLSERVER_PASSWORD="<password>" Specify the password used to connect to the SQL
instance.

Quest Change Auditor 6.9 Installation Guide


66
Windows Installer Command Line Options
Table 9. Change Auditor coordinator command line options

Option Use this to...


SQLSERVER_DOMAIN="<domain name>" If Windows authentication is being used, specify the
domain of the user credentials used to connect to the
SQL instance.
ADD_USER_CAADMINS="1" Specify whether the logged in user is to be added to
the ChangeAuditor Administrators security group.
• Set to "1" to add the user to this security group.
EVENTLOG_BLOCK_OVERRIDE="1" Specify whether to override event log block detection.
• Set to "1" to enable this override
When this setting is set to "0" (default), the event log
detection is active which detects whether or not the
system EventLog service is holding one of Change
Auditor’s event log message DLLs open. If one of
these DLLs are open, the Windows Installer Restart
Manager can cause unpredictable restarts of
dependent services.
NOTE: This applies to coordinators running Windows
Server 2008 (or later).

Quest Change Auditor 6.9 Installation Guide


67
Windows Installer Command Line Options
About us

We are more than just a name


We are on a quest to make your information technology work harder for you. That is why we build community-
driven software solutions that help you spend less time on IT administration and more time on business innovation.
We help you modernize your data center, get you to the cloud quicker and provide the expertise, security and
accessibility you need to grow your data-driven business. Combined with Quest’s invitation to the global
community to be a part of its innovation, and our firm commitment to ensuring customer satisfaction, we continue
to deliver solutions that have a real impact on our customers today and leave a legacy we are proud of. We are
challenging the status quo by transforming into a new software company. And as your partner, we work tirelessly to
make sure your information technology is designed for you and by you. This is our mission, and we are in this
together. Welcome to a new Quest. You are invited to Join the Innovation™.

Our brand, our vision. Together.


Our logo reflects our story: innovation, community and support. An important part of this story begins with the letter
Q. It is a perfect circle, representing our commitment to technological precision and strength. The space in the Q
itself symbolizes our need to add the missing piece — you — to the community, to the new Quest.

Contacting Quest
For sales or other inquiries, visit www.quest.com/contact.

Technical support resources


Technical support is available to Quest customers with a valid maintenance contract and customers who have trial
versions. You can access the Quest Support Portal at https://support.quest.com.
The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a
day, 365 days a year. The Support Portal enables you to:
• Submit and manage a Service Request.
• View Knowledge Base articles.
• Sign up for product notifications.
• Download software and technical documentation.
• View how-to-videos.
• Engage in community discussions.
• Chat with support engineers online.
• View services to assist you with your product.

Quest Change Auditor 6.9 Installation Guide


68
About us

You might also like